I can't seem to access the data noted in the
Slashdot article.
But other sources of data don't support this claim.
See
http://www.dwheeler.com/oss_fs_why.html#security -
Attrition.org and alldas.de data suggests that, in the time they collected data, Windows was less secure.
An unmaintained system is almost always more vulnerable than a maintained system, no matter what they are. Also, I don't know how secure you'd like to think GNU/Linux distributions are - they're made by humans who make mistakes.
But the recent attacks certainly give evidence for th e Linux crowd. XP comes with multiple open ports by default, by default doesn't enable a firewall, and its mail reader by default runs arbitrary programs sent by attackers when clicked. Typical Linux distributions have no open ports by default, use a firewall, and don't stupidly trust attackers to send them "nice" programs when clicked.
The notion that Linux systems are immune is fundamentally wrong. Linux systems do make design choices that make them rather resistant.
But it's all more complicated than "X is always more secure".
Yes, thanks for clarifying what I meant. Part of the OS is on a special location of the disk, and not on the CD.
That's important for security:
since the computer has been
owned, why should I trust what's in that
hidden partition? The attacker(s) might have
modified that too!!
Security-wise, it's best to completely erase everything and start over. But with this particular type of Windows XP installation, I cannot erase everything and start over.
I can do that with most other operating systems (such as Red Hat Linux, or even other versions of Windows): if they've been broken into (or I strongly suspect it), I can erase everything (or swap out the hard drive) and start over fresh.
With this type of Windows XP installation, I must pray to the Tiki gods that the attacker forgot to attack the part of the computer I cannot defend.
Of course, if I'm an attacker, wouldn't I want to attack the part of the computer that cannot be undone?
Not all Windows XP installations are set up this way, but many are. And this particular installation technique is uniquely dangerous.
As far as I can tell, only certain Windows installations are this vulnerable in today's market.
GNU/Linux systems can be used to help Windows systems get a little more secure.
A family member of mine got a new Windows XP system,
installed it, and tried to download the security patches. Before the XP system managed to download the patches, it had already been 0wned by Blaster. It's really hard to keep a Windows system up-to-date when you can't connect to the Internet to update it.
My solution?? I used Red Hat Linux to download the patch, and wrote it on some media.
Of course, he can't really completely wipe his hard drive to be sure he's safe from any other attacks. Why? If the drive is fully wiped, Windows XP can't be installed any more - on his system, the CD doesn't contain the entire OS!
Of course, I'm writing this from a Red Hat Linux system that has a nice built-in firewall, a "root" account that's not normally used, no externally-accessible ports, and lots of other designs that make it far more resistant to attack in the first place. Yum.
Personally, I think it's absurd that I have to sign up for a special list just so that I can use my own email inbox.
However, that may be the only tractable way to proceed by legislation. And I think it's critical that spam be made explicitly illegal. Murder still happens even though there are laws against it, but the threat of action certainly helps deter it. If spam were illegal, there would be fewer people doing it. And if just the top ten spammers were captured, separated from their possessions, and possibly jailed, there'd be a whole lot less spam (they send most of it, and there'd be a lot of disincentive for anyone to replace them).
However, what will not work is requiring every email have an "opt-out" box. That's just a way of getting more spam; any opt-out list has to be one, single list. And having a national email list, with cleartext email addresses, is
clearly a non-starter - that would just ensure more spam, by those who don't care about the law.
The simple solution is to store cryptographic hashes of email addresses - not the email addresses themselves.
That way, having the address list doesn't actually give you a list of valid email addresses - it just gives you a way to (painfully) check if a given name exists on it.
More details are at:
http://www.dwheeler.com/essays/stopspam.html#opt-o ut-list>
This isn't perfect, but it might be a step in the right direction.
The current legislation makes it okay to spam as long as you do a few stupid things that harms consumers. That's worse than the current situation; at least some state laws have a small bite. But it makes sense - they're listening to the spammers, and not the people being harmed. They need to enact stronger laws than they've been willing to consider so far.
The book reviewed here is about how to SECURE
a Mac OS X system given pre-canned applications.
However, for information on how to write secure applications, you'll want more information. Please take a look at the Secure Programming for Linux and Unix HOWTO. It's free to download and redistribute (GFDL), and has lots of information on how to avoid common mistakes.
This looks like a highly protectionist policy, and I doubt it would help open source software. Indeed, this will probably hurt China, too.
China isn't embracing open source software, it's simply having a "only buy Chinese software" policy. But the history of such trade barriers is not encouraging, typically the "local" producers create poor products (knowing they have a captive audience) and can't compete long-term.
The word processor they're preferring is just another proprietary word processor. Wonderful, now the world has multiple incompatible proprietary formats for documents.
And it's not as if they're really competing with each other: the mandate might ensure that Chinese only use one product, and its poor showing in the market will ensure that no one else will touch it.
For codecs it's even worse. The world already has patent-encumbered codecs that inhibit appropriate use. Why does the world need two incompatible sets of patent-encumbered codecs? All that does is inhibit data exchange and tax everyone.
The world would be better off if they supported the Ogg Vorbis / Tarkin / etc. group.
Even their support of Red Flag Linux may not be all that helpful to open source software. I suspect Red Flag will end up with all sorts of proprietary bells and whistles.
And again, due to protectionism, it probably won't be competitive worldwide, because it doesn't have to be.
True, this will probably harm Microsoft. I suspect that it won't really harm U.S. firms that much, because I understand that piracy is so rampant that only a relatively small percentage of software is bought legally anyway. But that doesn't mean this policy will help open source software. And in the end, it's likely this will harm China, too, because organizations that don't need to compete tend to be uncompetitive.
Clearly there are products which at least attempt to compete in the office suite space.
But I think that mere existence of a product is not enough to be a "real" competitor.
In my mind, there is "real" competition if the existence of some competitors (and their products) constrain the behavior of the lead competitor(s).
By constrain, I mean reduce prices, innovate new features that they think customers really want, and so on.
Is Microsoft reducing their general prices, or creating real innovations, because Open Office exists? Not yet in the general case. This pricing differentiation is already happening in specific cases, such as in Munich, but as of yet it's not trying to compete for Joe Average.
By the way, I think their new DRM features don't count as innovation - they appear to me to be a new way to lock in users and constrain competition, not to really help end users.
As a practical matter, for
"real" competition, there should be a significant fragment (say 30%+) of the potential users who will seriously consider using it, and some
number of users (say 20-30%) who actually use something else.
The exact numbers aren't as critical as the fact that the existance of a competitor changes the behavior of the lead competitor.
Oh, to answer your question,
I've used many different office-related products, including Microsoft Office, Star Office, Open Office, Abiword, Gnumeric, KOffice, Word Perfect (I've also used WordStar, Apple Writer I and ][, and Lotus 1-2-3, but those are only historical now).
So yes, I've used a number of products.
The biggest trouble with many of the open source programs cannot properly open common Microsoft Office files.
This is an absolute bare MINIMUM requirement
for real use.
Eric Raymond's DRAG.NET gets this right on:
We booked KWord on a 305: being kind of pointless. Even if you only read in the text and lose all the formatting, the ability to at least view the file format in which 95% of all business documents are currently being produced (ugly or not) is essential to any serious word processor.
A second problem with many of the open source programs is that they don't run on all the major platforms. No one will want to risk running an office suite if they can't trade data with their cohorts. If the application runs on everything, their risk is reduced.
This is why I'm particularly impressed with Open Office: it seems to import/export Microsoft Office files better than anyone else, including more of its sophisticated features, and it runs on LOTS of different platforms.
I like Abiword's speedy startup and clean approach, but it just doesn't have the functionality and import/export capability. Last I saw, KOffice didn't run everywhere.
If China continues down this path, this could
be very helpful to Open Office and other open
source software office suites.
Because "nearly everyone" uses Microsoft Office,
it's extremely difficult for any competitor to
enter the market - even if the competitor was always cheaper and manifestly superior.
However, if large countries increasingly use
products other than Microsoft Office, then
countries will have to depend on something else
than "everyone uses Microsoft Office" to exchange documents. I expect that "something else" to be either a standard
document format, or to eventually standardize on some "other product".
A marketplace where there are many
competing office products, but a need to exchange
office documents, strongly favors open source products. That's especially true if the open source product can run on any operating system, as Open Office can. It's no big deal to say "everyone, let's install Open Office for this project so we can safely exchange documents", since Open Office is free to download.
I wouldn't be surprised to see countries other than the U.S. adopt other office suites first, such as Open Office, and then U.S. companies will be forced to support those products to communicate with their international partners, suppliers, offshore sites, and so on.
I love to see real competition in any market.
Perhaps this will be the start of real competition in office suites.
Governments already support the development of Free-Libre / Open Source Software (FLOSS). The U.S. government - specifically DARPA - developed the BSD TCP/IP stack, for example. More recently, Security-Enhanced Linux (SELinux) was developed that way, and I know that DARPA has a CHATS program specifically focused on FLOSS. Any software developed exclusively by U.S. government employees, in the process of his/her duties, is automatically in the public domain (and thus FLOSS) unless there's some classification issue. The German government paid for improvement (and specifically a GUI) for GnuPG.
Many governments will only fund development work if the government benefits from it directly,
or if it's viewed as a good way to disseminate
academic or standards work already paid for by the government.
In the U.S., in particular, the government does not want to get into the business of competing with business.
You might want the U.S. government to pay for development of an application "for the good of its citizenry", but competing companies will be unhappy so it's unlikely that approach would succeed.
I can certainly imagine a government might want to discourage its citizenry from depending on a "foreign monopoly", and thus do more FLOSS work. The phrase "office of open source" (OOOS!) certainly sounds amusing! But since FLOSS would aid anyone - not just that country - it's again the tragedy of the commons at work. A set of governments could certainly do something.
You're more likely to get wins in countries where a single person can commit national resources without endless review by committee, and where that single person is unlikely to be bribeable.
It's a fact of life: in some poor countries where FLOSS might be helpful, FLOSS developers generally don't have the money to grease the palms of government people - and proprietary developers do.
Still, you could argue you only need to do it a few times - just one person could fund improvements in Open Office or Mozilla, with very dramatic results, since the products are already in generally decent shape.
But the problem is that, in some sense, there are a lot of public goods and services that governments are being asked to provide, and software just isn't that high on their priority list. I know of no government complaining that it has too much money. Most governments have other things as a higher priority - if they don't fund software then software will still be produced, but if they don't fund schools or defense and so on, they can end up losing the country.
Countries who are in decent shape have some
advantage, and in democracies, if you can sell
the project as something the country can be
proud of I can imagine it working.
(Look! We're leading the world in the new FLOSS development techniques, keeping more of our money at home, and growing our local high-tech industry!).
Many will argue that if governments invested more into FLOSS, then they could switch to FLOSS and save even more in the long run. That may be true, but from the government point of view there's a risk that they'll put all that money in, and get nothing back for it.
Even if a FLOSS program is a good one, it's difficult to contract or hire developers in a way that ensures that the work done is worthwhile; many studies suggest that most software projects fail. Even if a FLOSS program is successful, the government program might not create successful improvements to it. For example, governments generally favor the lowest bidder..!
One interesting approach that hasn't been tried often enough is to bid on government contracts. Instead of trying to change the government, respond to how governments already work. If a government requests bids on a set of requirements, bid an approach that includes a FLOSS product that partly meets the requirement, as well as the costs of upgrading the product to meet the government requirements. (Think WINE, or importers/exporters for Open Office to work with Microsoft's proprietary formats). This probably won't work for st
Actually, it DOES do some analysis - see the accompanying documentation. Basically, it looks at the parameters passed to the dangerous function, and adjusts the risk level based on its contents. For example, appending a constant is much less dangerous than appending a variable (because an attacker might be able to make that variable contain naughty data). RATS does the same sort of things (as does ITS4, for that matter).
However, both flawfinder and RATS (and ITS4) have the same basic problem - they only do basic lexical analysis, and none do an in-depth data and control flow analysis of the data sources. That's definitely a weakness, to which I say: I agree - so where's YOUR code? Please develop a more impressive source code analysis tool, and I'll be glad to reference it. Tools like smatch might help you implement one.
Sure, you shouldn't be coding in C if you don't know about how to protect against buffer overflows. But having a simple tool to help you find the spots you may have forgotten can help.
If you HAVE the source code, use a source code analyzer like my
flawfinder tool (or Viega's RATS tool). Source code analyzers can immediately identify where the problem is, and several are freely available. And has been noted elsewhere, the problem with binary analyzers is that they may show where some possible problems are, but it's very difficult to actually FIX the binary without the source code.
That doesn't mean this is a useless product; if nothing else, if you're planning to use a proprietary program, a tool like this one might help you begin to understand your risks.
I was curious about this statistical translation
toolkit, so I downloaded it from here:
http://www.clsp.jhu.edu/ws99/projects/mt/toolkit/.
I then peeked into the LICENSE file, and found
that it's released under the GPL.
No funny weird one-off licenses, or requiring only non-commercial use, or such.
So, if you're interested in statistical translation, download this system and try it out.
I can imagine some distributions of this translation system that take
this code - with improvements - and
precook large corpuses to create translators.
Anyone want to write the Mozilla and OpenOffice
plug-ins for the new menu item
"Edit/Translate Language"?
As an alternative, if you already have a Palm,
try Plucker at
http://www.plkr.org.
It's an offline
HTML reader for Palm PDAs, and it's Free Software (GPL license).
If you can get it in HTML or ASCII text, you can read it.
General-purpose PDAs (like Palm PDAs) may not have quite the resolution of the specialized readers, but single-purpose units are a bad idea when you have to carry them around (who's going to carry 50 devices around?). Even sillier is the locked format; do they really expect us to buy 12 ebook readers, and pay again to download freely-available content on it?
I routinely download documents and websites, and
read them at my leisure.
Actually, you can do some good by never recording the actual email address - instead, just store the hash of the address. That way, you can tell if an address is on the "do not send list", but no one can tell extract the list of email addresses from it. More info is at
http://www.dwheeler.com/essays/stopspam.html.
I agree with you, suing the supplier of the spammed goods is more likely to be helpful. But they need to be penalized much more severely, e.g., all money that they made must be relinquished, as well as any legal fees by those bringing suit, PLUS a penalty.
But not all spammers are selling goods... many are selling (often unpopular or hate-based) ideas, and they need to be shut down too.
But actually, I nelieve we do need laws. They won't completely stop it - murder still happens every day, and all societies forbid murder. But by making it a criminal offense, many of its practicitioners will stop, and many existing mechanisms (courts, international treaties, etc) can suddenly be brought to bear.
I believe that in the end, what's needed is a combination of law and technology.
The good news is that the politicians want to be able to use email too. This current proposed law isn't very good (why allow some marketers to spam me without my permission?), it's a good sign that they're starting to try to craft legislation. The first law passed won't be effective, but it'll be the start towards a combination of measures that will stem the tide.
If you REALLY care about this, and you're a U.S. citizen, don't just sign an online petition - write (or at least call) your Congresscritters.
The websites for the House of Representatives and Senate will both help you immediately find who your representatives are and how to contact them.
There are theories that suggest that these black holes won't last long. There also theories that certain kinds of radiation are already creating these black holes around the Earth today.
But remember:
The difference between theory and practice is much greater in practice than it is in theory.
I think any experiment which, if wrong, may exterminate the human race is a bad plan. Even if this one is fine, I would recommend that as a good rule to live by.
If they really think cosmic rays already create these, would it be possible to set up an observation system? Or, how about performing this experiment on a spaceship going AWAY from us?
I haven't noticed any spare Earths to live on. Perhaps they're available in the parallel universes suggeste by some interpretations of quantum mechanics; I ask that the experimenters first provide us a way OFF the spaceship before they risk eliminating it entirely....!
For statistics about open source software / Free Software, see my paper,
"Why Open Source Software / Free Software? Look at the Numbers!", at
http://www.dwheeler.com/oss_fs_why.html . It has a large collection of information you'll probably find useful.
Guarded email completely deals with some of the problems noted in these comments:
How do you receive challenges? Yes - if you SEND a message to someone, then you can set things up to automatically RECEIVE messages from that someone.
Can blind people send email? Yes - the challenge should be human-readable, but not computer-processable. That's easy.
Can you prevent loops? Yes - you have to think about it, but there are simple loop-prevention techniques so that EVERYONE can use these kinds of systems.
Attacking the kingpins will probably have a very
nice short-term effect. But will it really help
long term? I doubt it. Instead, there will be
new kingpins in countries outside their control,
perhaps in places where it's still legal to crack
into other computers. Also, there will be
a gradual increase in spam from the large number
of other spammers.We need techniques that work long-term.
If you're interested in countering spam, please
check these out:
I read UHH many years ago. Some complaints
it raised were frankly debatable even then - they
were primarily the complaints of those who liked
things differently. Some were legitimate
complaints, but have since been fixed.
However, some complaints are still valid today... so having
this book on-line could do a great
service, by making it possible for people to
identify still-extant problems and how to fix them.
For example, it is silly that Unix/Linux allow programs to create files with almost any filename. Leading dashes (-) are nothing but trouble: create the file "-fr", and the next "rm *" will be rather surprising. And why should control characters be allowed? It'd be nice to create an LSM module or whatever to forbid creating files with various awkward characters - or quietly rename them.
Indeed, why not just proclaim that filenames are UTF-8 encodings, and forbid/rename anything else?
And yes, it'd be nice if "copy", "move", and "link" were standard synonyms for "cp", "mv", and "ln". It's easy to do that on a single system, but unless those names are widely adopted, it's not worth bothering. E.G., embed this in LSB conformance. In this case, I don't see enough people caring to make such a change - too bad, perhaps.
I certainly would suggest mining the book for good ideas. But, much of it is no longer relevant, so you have to hunt in it for the good ideas.
If you hate spam (I do), you might find these interesting:
http://www.dwheeler.com/essays/stopspam.html: An essay about stopping spam. Although I think opt-out lists are a poor solution, they can be made to work - but they have to be run by someone without a conflict of interest (not true here!), and in a way that doesn't increase spamming (e.g., just store hashes, not the email addresses themselves).
Make the spammers pay for the opt-out list upkeep.
Most importantly, it has to be supported by law, not by lame "self-regulation".
http://www.dwheeler.com/guarded-email: A paper about Guarded Email, a particular challenge-response approach. Unlike heuristic approaches, these approaches kill off the attack / counter-attack cycle we're stuck in.
The buffer overflow work is based on StackGuard,
which was originally developed as a gcc extension
and tried out in Immunix (a Linux distribution).
However, instead of StackGuard, they're using
IBM's ProPolice. ProPolice implements the same
basic idea, but the patch itself works more cleanly
across CPU architectures. Also, ProPolice has
a simple optimization - it only enables the
canary protection if the function has a
char (like) array. This is a heuristic, but
a reasonable one - most buffer overflow attacks
exploit such arrays, and by doing this
ProPolice has a lower performance overhead
(without losing much in the way of protection).
Libsafe only protects a few built-in functions;
it's not a bad idea, but it's FAR less
effective than StackGuard or ProPolice.
The Openwall kernel patch is actually a
collection of nifty capabilities.
The "no executable stack" option is probably
what you mean, but it turns out that there's
a trivial way around it... so that part is
only effective BECAUSE few people use it.
Openwall has other stuff that's nice, though.
I think the reason these capabilities aren't
in use everywhere (yet) is the
conservatism of most distributions.
Many distributions worry about any performance
loss or compatibility loss. OpenBSD's
primary focus is on security, so losing
performance or backwards compatibility is
not as serious an issue for them.
I have hopes that these features will become
more mainstream.
Slashdot Mirror
I can't seem to access the data noted in the Slashdot article. But other sources of data don't support this claim. See http://www.dwheeler.com/oss_fs_why.html#security - Attrition.org and alldas.de data suggests that, in the time they collected data, Windows was less secure.
An unmaintained system is almost always more vulnerable than a maintained system, no matter what they are. Also, I don't know how secure you'd like to think GNU/Linux distributions are - they're made by humans who make mistakes.
But the recent attacks certainly give evidence for th e Linux crowd. XP comes with multiple open ports by default, by default doesn't enable a firewall, and its mail reader by default runs arbitrary programs sent by attackers when clicked. Typical Linux distributions have no open ports by default, use a firewall, and don't stupidly trust attackers to send them "nice" programs when clicked.
The notion that Linux systems are immune is fundamentally wrong. Linux systems do make design choices that make them rather resistant. But it's all more complicated than "X is always more secure".
Security-wise, it's best to completely erase everything and start over. But with this particular type of Windows XP installation, I cannot erase everything and start over. I can do that with most other operating systems (such as Red Hat Linux, or even other versions of Windows): if they've been broken into (or I strongly suspect it), I can erase everything (or swap out the hard drive) and start over fresh. With this type of Windows XP installation, I must pray to the Tiki gods that the attacker forgot to attack the part of the computer I cannot defend. Of course, if I'm an attacker, wouldn't I want to attack the part of the computer that cannot be undone?
Not all Windows XP installations are set up this way, but many are. And this particular installation technique is uniquely dangerous. As far as I can tell, only certain Windows installations are this vulnerable in today's market.
A family member of mine got a new Windows XP system, installed it, and tried to download the security patches. Before the XP system managed to download the patches, it had already been 0wned by Blaster. It's really hard to keep a Windows system up-to-date when you can't connect to the Internet to update it.
My solution?? I used Red Hat Linux to download the patch, and wrote it on some media. Of course, he can't really completely wipe his hard drive to be sure he's safe from any other attacks. Why? If the drive is fully wiped, Windows XP can't be installed any more - on his system, the CD doesn't contain the entire OS!
Of course, I'm writing this from a Red Hat Linux system that has a nice built-in firewall, a "root" account that's not normally used, no externally-accessible ports, and lots of other designs that make it far more resistant to attack in the first place. Yum.
However, what will not work is requiring every email have an "opt-out" box. That's just a way of getting more spam; any opt-out list has to be one, single list. And having a national email list, with cleartext email addresses, is clearly a non-starter - that would just ensure more spam, by those who don't care about the law.
The simple solution is to store cryptographic hashes of email addresses - not the email addresses themselves. That way, having the address list doesn't actually give you a list of valid email addresses - it just gives you a way to (painfully) check if a given name exists on it. More details are at: http://www.dwheeler.com/essays/stopspam.html#opt-o ut-list>
This isn't perfect, but it might be a step in the right direction.
The current legislation makes it okay to spam as long as you do a few stupid things that harms consumers. That's worse than the current situation; at least some state laws have a small bite. But it makes sense - they're listening to the spammers, and not the people being harmed. They need to enact stronger laws than they've been willing to consider so far.
The book reviewed here is about how to SECURE a Mac OS X system given pre-canned applications. However, for information on how to write secure applications, you'll want more information. Please take a look at the Secure Programming for Linux and Unix HOWTO. It's free to download and redistribute (GFDL), and has lots of information on how to avoid common mistakes.
The word processor they're preferring is just another proprietary word processor. Wonderful, now the world has multiple incompatible proprietary formats for documents. And it's not as if they're really competing with each other: the mandate might ensure that Chinese only use one product, and its poor showing in the market will ensure that no one else will touch it.
For codecs it's even worse. The world already has patent-encumbered codecs that inhibit appropriate use. Why does the world need two incompatible sets of patent-encumbered codecs? All that does is inhibit data exchange and tax everyone. The world would be better off if they supported the Ogg Vorbis / Tarkin / etc. group.
Even their support of Red Flag Linux may not be all that helpful to open source software. I suspect Red Flag will end up with all sorts of proprietary bells and whistles. And again, due to protectionism, it probably won't be competitive worldwide, because it doesn't have to be.
True, this will probably harm Microsoft. I suspect that it won't really harm U.S. firms that much, because I understand that piracy is so rampant that only a relatively small percentage of software is bought legally anyway. But that doesn't mean this policy will help open source software. And in the end, it's likely this will harm China, too, because organizations that don't need to compete tend to be uncompetitive.
In my mind, there is "real" competition if the existence of some competitors (and their products) constrain the behavior of the lead competitor(s). By constrain, I mean reduce prices, innovate new features that they think customers really want, and so on. Is Microsoft reducing their general prices, or creating real innovations, because Open Office exists? Not yet in the general case. This pricing differentiation is already happening in specific cases, such as in Munich, but as of yet it's not trying to compete for Joe Average. By the way, I think their new DRM features don't count as innovation - they appear to me to be a new way to lock in users and constrain competition, not to really help end users.
As a practical matter, for "real" competition, there should be a significant fragment (say 30%+) of the potential users who will seriously consider using it, and some number of users (say 20-30%) who actually use something else. The exact numbers aren't as critical as the fact that the existance of a competitor changes the behavior of the lead competitor.
Oh, to answer your question, I've used many different office-related products, including Microsoft Office, Star Office, Open Office, Abiword, Gnumeric, KOffice, Word Perfect (I've also used WordStar, Apple Writer I and ][, and Lotus 1-2-3, but those are only historical now). So yes, I've used a number of products.
The biggest trouble with many of the open source programs cannot properly open common Microsoft Office files. This is an absolute bare MINIMUM requirement for real use. Eric Raymond's DRAG.NET gets this right on:
A second problem with many of the open source programs is that they don't run on all the major platforms. No one will want to risk running an office suite if they can't trade data with their cohorts. If the application runs on everything, their risk is reduced.
This is why I'm particularly impressed with Open Office: it seems to import/export Microsoft Office files better than anyone else, including more of its sophisticated features, and it runs on LOTS of different platforms. I like Abiword's speedy startup and clean approach, but it just doesn't have the functionality and import/export capability. Last I saw, KOffice didn't run everywhere.
Anyway, I hope that helps.
Because "nearly everyone" uses Microsoft Office, it's extremely difficult for any competitor to enter the market - even if the competitor was always cheaper and manifestly superior. However, if large countries increasingly use products other than Microsoft Office, then countries will have to depend on something else than "everyone uses Microsoft Office" to exchange documents. I expect that "something else" to be either a standard document format, or to eventually standardize on some "other product".
A marketplace where there are many competing office products, but a need to exchange office documents, strongly favors open source products. That's especially true if the open source product can run on any operating system, as Open Office can. It's no big deal to say "everyone, let's install Open Office for this project so we can safely exchange documents", since Open Office is free to download. I wouldn't be surprised to see countries other than the U.S. adopt other office suites first, such as Open Office, and then U.S. companies will be forced to support those products to communicate with their international partners, suppliers, offshore sites, and so on.
I love to see real competition in any market. Perhaps this will be the start of real competition in office suites.
Many governments will only fund development work if the government benefits from it directly, or if it's viewed as a good way to disseminate academic or standards work already paid for by the government. In the U.S., in particular, the government does not want to get into the business of competing with business. You might want the U.S. government to pay for development of an application "for the good of its citizenry", but competing companies will be unhappy so it's unlikely that approach would succeed.
I can certainly imagine a government might want to discourage its citizenry from depending on a "foreign monopoly", and thus do more FLOSS work. The phrase "office of open source" (OOOS!) certainly sounds amusing! But since FLOSS would aid anyone - not just that country - it's again the tragedy of the commons at work. A set of governments could certainly do something. You're more likely to get wins in countries where a single person can commit national resources without endless review by committee, and where that single person is unlikely to be bribeable. It's a fact of life: in some poor countries where FLOSS might be helpful, FLOSS developers generally don't have the money to grease the palms of government people - and proprietary developers do. Still, you could argue you only need to do it a few times - just one person could fund improvements in Open Office or Mozilla, with very dramatic results, since the products are already in generally decent shape.
But the problem is that, in some sense, there are a lot of public goods and services that governments are being asked to provide, and software just isn't that high on their priority list. I know of no government complaining that it has too much money. Most governments have other things as a higher priority - if they don't fund software then software will still be produced, but if they don't fund schools or defense and so on, they can end up losing the country. Countries who are in decent shape have some advantage, and in democracies, if you can sell the project as something the country can be proud of I can imagine it working. (Look! We're leading the world in the new FLOSS development techniques, keeping more of our money at home, and growing our local high-tech industry!).
Many will argue that if governments invested more into FLOSS, then they could switch to FLOSS and save even more in the long run. That may be true, but from the government point of view there's a risk that they'll put all that money in, and get nothing back for it. Even if a FLOSS program is a good one, it's difficult to contract or hire developers in a way that ensures that the work done is worthwhile; many studies suggest that most software projects fail. Even if a FLOSS program is successful, the government program might not create successful improvements to it. For example, governments generally favor the lowest bidder..!
One interesting approach that hasn't been tried often enough is to bid on government contracts. Instead of trying to change the government, respond to how governments already work. If a government requests bids on a set of requirements, bid an approach that includes a FLOSS product that partly meets the requirement, as well as the costs of upgrading the product to meet the government requirements. (Think WINE, or importers/exporters for Open Office to work with Microsoft's proprietary formats). This probably won't work for st
However, both flawfinder and RATS (and ITS4) have the same basic problem - they only do basic lexical analysis, and none do an in-depth data and control flow analysis of the data sources. That's definitely a weakness, to which I say: I agree - so where's YOUR code? Please develop a more impressive source code analysis tool, and I'll be glad to reference it. Tools like smatch might help you implement one.
Sure, you shouldn't be coding in C if you don't know about how to protect against buffer overflows. But having a simple tool to help you find the spots you may have forgotten can help.
If you HAVE the source code, use a source code analyzer like my flawfinder tool (or Viega's RATS tool). Source code analyzers can immediately identify where the problem is, and several are freely available. And has been noted elsewhere, the problem with binary analyzers is that they may show where some possible problems are, but it's very difficult to actually FIX the binary without the source code. That doesn't mean this is a useless product; if nothing else, if you're planning to use a proprietary program, a tool like this one might help you begin to understand your risks.
I can imagine some distributions of this translation system that take this code - with improvements - and precook large corpuses to create translators. Anyone want to write the Mozilla and OpenOffice plug-ins for the new menu item "Edit/Translate Language"?
General-purpose PDAs (like Palm PDAs) may not have quite the resolution of the specialized readers, but single-purpose units are a bad idea when you have to carry them around (who's going to carry 50 devices around?). Even sillier is the locked format; do they really expect us to buy 12 ebook readers, and pay again to download freely-available content on it? I routinely download documents and websites, and read them at my leisure.
I agree with you, suing the supplier of the spammed goods is more likely to be helpful. But they need to be penalized much more severely, e.g., all money that they made must be relinquished, as well as any legal fees by those bringing suit, PLUS a penalty. But not all spammers are selling goods... many are selling (often unpopular or hate-based) ideas, and they need to be shut down too.
But actually, I nelieve we do need laws. They won't completely stop it - murder still happens every day, and all societies forbid murder. But by making it a criminal offense, many of its practicitioners will stop, and many existing mechanisms (courts, international treaties, etc) can suddenly be brought to bear. I believe that in the end, what's needed is a combination of law and technology.
The good news is that the politicians want to be able to use email too. This current proposed law isn't very good (why allow some marketers to spam me without my permission?), it's a good sign that they're starting to try to craft legislation. The first law passed won't be effective, but it'll be the start towards a combination of measures that will stem the tide.
If you REALLY care about this, and you're a U.S. citizen, don't just sign an online petition - write (or at least call) your Congresscritters. The websites for the House of Representatives and Senate will both help you immediately find who your representatives are and how to contact them.
There are theories that suggest that these black holes won't last long. There also theories that certain kinds of radiation are already creating these black holes around the Earth today.
But remember: The difference between theory and practice is much greater in practice than it is in theory.
I think any experiment which, if wrong, may exterminate the human race is a bad plan. Even if this one is fine, I would recommend that as a good rule to live by.
If they really think cosmic rays already create these, would it be possible to set up an observation system? Or, how about performing this experiment on a spaceship going AWAY from us?
I haven't noticed any spare Earths to live on. Perhaps they're available in the parallel universes suggeste by some interpretations of quantum mechanics; I ask that the experimenters first provide us a way OFF the spaceship before they risk eliminating it entirely....!
For statistics about open source software / Free Software, see my paper, "Why Open Source Software / Free Software? Look at the Numbers!", at http://www.dwheeler.com/oss_fs_why.html . It has a large collection of information you'll probably find useful.
Guarded email completely deals with some of the problems noted in these comments:
If you're interested in countering spam, please check these out:
However, some complaints are still valid today... so having this book on-line could do a great service, by making it possible for people to identify still-extant problems and how to fix them.
For example, it is silly that Unix/Linux allow programs to create files with almost any filename. Leading dashes (-) are nothing but trouble: create the file "-fr", and the next "rm *" will be rather surprising. And why should control characters be allowed? It'd be nice to create an LSM module or whatever to forbid creating files with various awkward characters - or quietly rename them. Indeed, why not just proclaim that filenames are UTF-8 encodings, and forbid/rename anything else?
And yes, it'd be nice if "copy", "move", and "link" were standard synonyms for "cp", "mv", and "ln". It's easy to do that on a single system, but unless those names are widely adopted, it's not worth bothering. E.G., embed this in LSB conformance. In this case, I don't see enough people caring to make such a change - too bad, perhaps.
I certainly would suggest mining the book for good ideas. But, much of it is no longer relevant, so you have to hunt in it for the good ideas.
http://www.dwheeler.com/essays/stopspam.html: An essay about stopping spam. Although I think opt-out lists are a poor solution, they can be made to work - but they have to be run by someone without a conflict of interest (not true here!), and in a way that doesn't increase spamming (e.g., just store hashes, not the email addresses themselves). Make the spammers pay for the opt-out list upkeep. Most importantly, it has to be supported by law, not by lame "self-regulation".
http://www.dwheeler.com/guarded-email: A paper about Guarded Email, a particular challenge-response approach. Unlike heuristic approaches, these approaches kill off the attack / counter-attack cycle we're stuck in.
Enjoy!
I just want to say "Thank you!" to the MANY people who worked to make this possible. We all owe them a round of applause.
It's "Spider-man", not "Spiderman". There's a hyphen in the name. If you're going to fight over $millions, at least get the name right.
Libsafe only protects a few built-in functions; it's not a bad idea, but it's FAR less effective than StackGuard or ProPolice. The Openwall kernel patch is actually a collection of nifty capabilities. The "no executable stack" option is probably what you mean, but it turns out that there's a trivial way around it... so that part is only effective BECAUSE few people use it. Openwall has other stuff that's nice, though.
I think the reason these capabilities aren't in use everywhere (yet) is the conservatism of most distributions. Many distributions worry about any performance loss or compatibility loss. OpenBSD's primary focus is on security, so losing performance or backwards compatibility is not as serious an issue for them. I have hopes that these features will become more mainstream.