If you want more info on GIS with some decent links (including s/w that runs on linux and Java applications) to relevant examples, check out this article at dailywireless.org.
It's a good page to start from if the IBM article feels a bit dry.
Fundamental design, prj mgmt skills & hokey st
on
Indecision 2002
·
· Score: 1
Well, the equipment and systems failures reported today show me one thing: no matter how much one spends on a solution and how important the purpose of the solution is, it won't matter a bit if:
the developers (h/w and s/w) lack basic systems design skills
there is no real project management
A big reason projects like mozilla or even openzaurus are so successful is that no one is afraid to test the crap out of them since folks can only benefit if bugs are found and addressed. The developers (or their management) of the voting systems and the VNS aggregator(s) apparantly cared more about getting something out rather than getting something right. (I'm still leery about e-voting/polling at all...I wouldn't be surprised if the Georgia voters got a list of candidates that included CowboyNeal *:^)
I also cannot see how CNN or anyone else can have the "guts" to call races without a ton of ground troops with wireless PDAs at a huge number of polls. VNS was supposed to be that for everyone (great job last time around, eh?) and managed to strike out a second time (at least in this case, no news is far better than blatantly wrong news).
My "rant" is actually more from a corporate perspective. EAP-PEAP is not as secure as EAP-TTLS and provides no additional functionality over EAP-TTLS. EAP-TTLS is a standard and it's based on the solid foundation of EAP-TLS. Neither works well for home users unless they happen to have a full fledged authentication/authorization infrastructure in place.
I'm risking sounding like a typical/. poster with this next bit, but nothing from Microsoft is free. At home, I doubt many users are going to be able to setup a PKI infrastructure and at work (big Fortune 100) we don't use AD for PKI (why would anyone tie their PKI to M$) despite the fact that we are - primarily - a M$ shop for office stuff and Intranet stuff. We can't use open source software either (officially).
And, finally, I'm not suggesting that M$ is trying to lock linux out. Rather, I'm suggesting that by only adopting _one_ halfway decent method of securing wireless communications that doesn't rely fully on PKI was wrong, especially when the better standard (EAP-TTLS) was available to work with. Just because Microsoft and Cisco say we should use something doesn't mean we actually should listen and follow like sheep.
Hopefully, linux (via Xsupplicant?) will support all of the EAP-subtypes making it easier to integrate into any wireless network.
Many thanks for the tip on the RG1000, tho...off to check eBay...
The type of control/configuration would be extremely useful here (and not just for the annoyance factor *:^) I know Cisco has some similar stuff half working, but it takes a bit to prod our network folks to [breathe|bathe|do more than watch OpenView pretty colors change].
Cisco's implementation (since it requires a back-end server for the authentication portion) supports EAP-TLS (barely - only M$ AD as the certificate store), EAP-PEAP, EAP-MD5 and LEAP (I refuse to put EAP- in front of it anymore...it's not a standard). That's it. Nothing more. No plug-in capability on the ACS server and no API if I want to write my own module to work with another IETF standard (since I shouldn't have to rely on the *card* and *AP* to support all of the EAP subtypes).
I agree, no Win2K support really bites for those that want to use EAP-PEAP, but we're stopping all deployments until EAP-TLS (we already have a full PKI infrastructure tested rolling out next week or two) is supported with a non-M$ store. We can't afford to VPN everything (it is too expensive in a corporate environment) and EAP-PEAP is not ready for prime time. If M$ and Cisco had done the wise thing and support EAP-TTLS, we probably would have compromised since it provides a migration from username/passwords to certs.
(also, there's nothing wrong with going to meetings for the pens/shirts/cups either *:^)
But the problem even with WEP+ and TKIP (rotate the shield frequencies mr data...keep them guessing *:^) is still the *medium*. It may take 2 weeks _now_ to break keys, but we still have traffic that is weakly protected spewing out for anyone to sit and capture...and capture...and capture...and then store on cheap and reliable media...to process _later_. When quantum computing becomes a reality (and it will be much quicker than predicted) WEP+/TKIP won't help anyone. Even now, with highly distributed computing readily available, 2 weeks might be reduced to 2 days. Would you feel secure providing a switched span port RJ45 jack out of your building if it relies on RC4 for encryption?
AES is the best we've got now and is definitely better than RC4. Until all wireless connections use it (with a session/roaming scheme similar to EAP-TTLS), you had better keep your communication wrapped in ssh tunnels or IPsec VPNs.
There are some even newer IEEE (and IETF to a certain extent) proposals in the way to force authentication *before* your "device" is allowed to make its way past the physical connection (strange how this forces one to think of wireless as a physical connection - I know it is : waves/particles : but I can actually *see* the RJ45 connector and CAT5E cable *:^). *That's* when things get cool. Authenticate/authorize me before I even get the ability to sniff broadcast traffic then make sure everything thereafter is AES encrypted so even kismet and Ethereal won't even be able to watch ARPs and DHCP traffic.
Combine that with applying per-user/group ACLs that really make sure I can only go (at least initially) where I should and we start to have full-port security.
That might be what the Cabletron/Enterasys solution is...I need to check that out if so (many thanks for the post!)
And, as far as the most vulnerable part of the LAN goes: it's the end-user with a M$ workstation.
EAP-LEAP is one of the worst attempts (after basic WEP) at developing a protocol to secure wireless communications. Better to do IPSec through a VPN than to use it.
EAP-PEAP is not just a M$/Cisco standard (but they are major backers of it). There are four/five documented security problems with PEAP, the worst of which is some nefarious individual being able to take over your roaming session with almost no effort (especially with Cisco's beta implementation). Read the RFC if you want to verify. Word of caution to all wireless freaks: PEAP is probably going to be what you'll be using to roam between 802.11b "cells" when they start popping up all over (AT&T - amongst others - has plans...big plans...). Keep your ssh tunnels at the ready if you ride those etherwaves...
EAP-TLS's major shortcoming is the reliance upon a PKI infrastructure (how many of *you* have certificates?).
The only real way out (at the moment) of the wicked mess that is wireless networking is EAP-TTLS. It has the strong security of the encrypted communications of EAP-TLS without the need for certificates for authentication and handles roaming much more securely than EAP-PEAP.
Unfortunatley, M$ and Cisco have embraced EAP-PEAP as the be-all, end-all of secure wireless communications. What we need is for some good developers to make stacks for Windows, Linux and MacOS so we can avoid being stuck in an insecure purgatory. Then again, Microsoft seems to encourage insecure wireless networks the way their interface to 802.11b networks is designed. I'm sure they (and lots of other large organizations) would love to see us use the most insecure method of wireless communications possible.
Truth-be-told, it takes a great deal of horsepower in AP's (read: buy new h/w) and also takes some back-end systems to support EAP-PEAP or EAP-TTLS, and I doubt we'll see entries from Linksys or D-Link (and if we do see all-in-one solutions from them, it's game-over for security anyway). So there won't be a big saturation in the home market (where most of the wireless $$$ are going now).
Smart Fortune 500's use VPN's on top of WEP (or the forthcoming next-gen WEP standard that rotates keys much more frequently) if they use it at all. The NIST (www.nist.gov) has all but told the government to just say "no" to wireless networks in any branch/office.
I realize the point was to make sure we have tools in Linux so we aren't left out of wireless networks that employ EAP-PEAP. I say we try to ensure folks use the best possible technology *or* support multiple EAP subtypes (since there are lots of them and they're always adding more) and employ a method of restricting types of traffic on connections that had to use weaker (or no) authentication (i.e. WEP or LEAP? - need to use VPN... PEAP/TTLS? - maybe ok enough to go ahead w/o).
netsarang.com has a pretty inexpensive, commercial (supported) X server that works the way you seem to need it to (even has ssh suppot). I've used it from Win98->2K->XP flawlessly (when not on my linux or solaris boxes). you can try it for free (and if you can put up with annoy-ware, you can just hit 'cancel' when the free trial period dialog comes up and it will still function flawlessly).
one thing your post has done is remind me of that "final" killer app - M$ Access. We've been doing a good job @ work coming up with as many alternatives to the M$ on the desktop. Before Ximian's wonderfull xchng connector, we used a whacky combo of fetchmail (with NTLM support), imap, and pine to read/send mail and do rudimentary calendaring (it can be presented by xchng as an imap folder). I can read PDF's with open source and use cool print spool hacks to make better PDF's than adobe's writer. OpenOffice/StarOffice get us by on the majority of docs and I see so little of Visio files anymore that it is no longer on the 'killer' list.
Unfortunately, we have a few Excel spreadsheets that neither "Office" likes (*why* do folks insist on creating Excel *databases*!). those users that got a bit smarter made access db's (which I don't need to use frequenetly and - hence - forgot about) - *without* a SQL back-end! - and there's little we can do do mitigate that.
A wireless web server was s/w task #3 on my new Zaurus. Way no-brainer. (and I bet my linux-native, developer Zaurus/wireless combo was cheaper than the crappy IPaq one...and my battery death won't cause me to have the unit shipped back to home base for repair).
maybe timothy is just having a bad day. or dreaming [see http://www.monkey.org/~timothy/ @ end of page)...
it's BSD-based running a bastardized version of squid and probably one of the worst WCCP-enabled transparent proxies on the market (we use them, or rather, *try* to use them to handle 30 million URLs a day and they are less than desirable).
their disk (read: hardware that actually enables caching) subsystem is horrible; whatever they did to BSD to make the DNS lookups bite is also a mystery.
also, they managed to slap an IOS-like interface (or a crappy web-interface) onto something that was far more robust initially and then proceed to limit what you can do with the power of squid.
they:
- don't handle authentication well
- don't consistently obey the caching rules
of http-retrieved objects
- only intercept what they are told to, so
port 80 can be transparent, but sites on
high ports or "weird" ports go streaming
by
the list is longer, but i feel better now. *:^)
Cisco Crash^H^HpEngines are best used as doorstops. Keep them out of my network.
I'm not suggesting all methods of transparent proxying are bad, but definitely stay away from this one...
A pasted translation from the German page above quickly points out that Sun is doing it so they can provide a supported product to businesses.
I can confirm that my organization (Fortune 100) didn't give StarOffice a first look because it was "free". They don't trust free s/w and need to hold someone accountable if there are problems (I should point out that we don't really hold M$ accountable for much, but the exec$ feel goo about the possibility of maybe being able to hopefully do so if there are really, really, major problems).
I can also confirm that we would like to save megabuck$ and provide some productivity suite competition so we can stop getting royally soaked by mr gates & co.
And I can confirm that other large organizations expressed the same feelings directly to Sun (with us).
HOWEVER, Visio is the "killer app" that will stop us from using StarOffice. Without a Visio-killer (open source or otherwise), M$ will continue to dominate. Buying Visio was a very strategic move on Redmond's part and it will prevent alot of places from switching since they would be fearful that it would not "integrate" properly with StarOffice (ever try to embed a complex Visio diagram in a Word file? there are integration problems enough within the suite, let alone outside of it).
So, Sun will make some money in the small-to-medium sized orgs, but M$ will continue to rake in the dough from the big boyz.
For large organizations who (like mine) made a $50mil investment in moving to J2EE applications as a corporate standard, the Sun stamp of approval is absolutely necessary.
Personally, I'll take Tomcat/Catalina + MySQL + Velocity + PoolMan over most Java app servers, and only feel that J2EE benefits extremely large apps with the need to connect to legacy systems.
If the open source community starts to shun Java because of what Sun is doing, it will leave a huge hole and kill the momentum that has built up over the past 5 years or so.
How many of us Java developers began web-development by downloading Tomcat? How many of us love Struts and Velocity and don't want to lock our skillsets into proprietary solutions from BEA or IBM?
Sun needs to draw then walk a fine line between keeping the major app server purveyors happy while keeping the playing field open for those of us who want to use the technology, but don't have $50K handy for a single CPU license.
this lawsuit is another nail in the coffins of major networks and broadcasters.
i'm looking forward to the day when I can *order* exactly what show(s) i want (ad-[mostly]-free), have it stored digitally and be able to view it/them whenever i want (for whatever period of time is reasonable). this way, selecting by "genre" or "title" will be a "feature" and "service".
smaller production shops might even be able to schlep out stuff on their own w/o the need to suck up to the big boyz.
$40-$100/month for cable/satellite access for the crap that's on most of the channels is absolutely insane. yes, the PVr's help sift through some of this, but i don't think going the extra step of pay-per-show will hurt PVR's, just make them more useful.
it will also get rid of alot of worthless airtime and perhaps generate even better programmes.
This hurts folks who want to learn on "cheap" h/w, but you can get a Sun Blade 64-bit workstation for $999 that runs the SPARC version of Solaris, so there are options for developers and those who want to "learn" Solaris and e-Bay is full of old SPARCs that are *very* indexpensive.
Solaris x86 was a dog on uniprocessor systems and multi-processor boxes aren't worth the cost when you can get a decent SPARC *blade* system for $999 and have 64-bit processing power.
IA-64 is still far off, and you can bet that Sun will be there when that technology is actually released and more mature since they *have* to compete with M$, IBM and HPaQ on enterprise turf where dumb suits and admins think of "plug" when they hear "spark".
As a Solaris daily user, I'd rather run Linux or QNX on PC h/w than Solaris anyway. Better updates to match h/w advances along with solid performance on single-chip boxes.
I'm T-3.25 hours from taking my daughter and 9 of her closest high school friends to the opening for her birthday.
Her cake will have LOTR mini-action figures.
Her presents are all (mostly) themed to LOTR.
She's getting the BBC recordings for Christmas.
She fell in love with "There And Back Again" when she was small. She became enthralled with LOTR when in high school; and she has lived in middle earth since she read the Silmarillion.
For my daughter's sake (and for mine! *:^) I hope he really did measure up as well as our benevolent Cmdr said (I have little doubt that it trulyh will be spectacular).
Ans as for those who remark about spoilers: yes, the story is old and known, but the unknowns are what Jackson & co. modified/whacked -- no T.B., Arewen is a jock, and tons of other small things that will hopefully be overshadowed by a remarkable performance by a very decent cast. I just hope I survive the gaggle of teenagers.
I thankfully have DSL via a regional ISP who doesn't block port 80 inbound or VPN traffic (it doesn't block any traffic). The philosophy is: I contracted to have 'n' amount of bandwidth and I should be allowed to use it however I wish, provided I'm not disrupting other serivces or hacking.
Suppose they did block VPN? The SSH questions are relevant since my company has a VPN solution, but it is *much* more convenient to setup one-or-more SSH tunnels and get access that way. SSH is reasonable traffic (especially if you're accessing Net CVS resources, distance-learning university accounts, or wrapping access to IMAP/POP/etc servers). If they block SSH (port 22) use it on a different port! It they look for SSH protocol traffic, use stunnel! There are always alternatives.
If you signed a metered bandwidth contract on what you thought was a full-speed DSL/Cable line, then shame on you.
We saw this coming. For these types of dumb ISP's, we sign up our employees on "business" DSL or Cable. It costs more than residential, but it's still cheaper than setting up/maintaining regional modem banks or contracting with a large telco to have them do the dial-up and lease pipes back.
Still, the tunnel is the best backdoor approach (to get around ISP stupidity and corporate security!)
I'm not saying that there should *never* be a case for s/w upgrades, but there needs to be some level of professionalism on the vendor's part in terms of *timeframe* on "required" re-licensing/re-puchasing.
It is as unreasonable to expect the vendor to support 4 year old s/w as it is to have to re-purchase/re-license s/w every year. Our h/w is on a 3-year lifecycle, and I'm thinking that it would not be unreasonable to expect the same from s/w. *Most* vendors _are_ reasonable this way (case in point: to their credit, MS has supported Windows 95 for 6-7 years, which is an unsupportable OS by any standard from the start! *:^); it's the ones who aren't that pave the way for future stupidity.
Now, we're big enough not to have gotten nailed by the recent (bad) Microsoft licensing (OS&Office) extortion, but there are many companies (on and below the Fortune 500 list) who weren't so fortunate/adept. They were forced to pay for software they won't even be using just to save money in the long run. It's like me paying the dealer for my next car while still driving my old one and not possessing the new one.
To the main, referenced article's subject: were there really major enhancements to the way the various virus checkers grabbed bytes from the incoming files and compared them to the (hopefully) regularly updated sig files? Doubtful. The "security" companies are capitalizing on the fears and "necessities" of the times. It's plain wrong.
Third party support would have worked if the dot-com bust hadn't happened. Now, we look to large, slow, red-tape-ridden companies so we can be sure they will be there a year from now. The support will rot, they'll produce inferior products as time goes by, and our IT staff will revel in the amount of time they have to d/l holiday screen savers and send AOL IM messages while the consultants come in and re-install, re-install, re-install...
I work in IT for a well-known/respected Fortune 100 and we get hit with this all the time.
The s/w vendors know we (and others like us):
have lots of money
have a majority of IT employees who are either mainframe rejects or have little more expertise than "click next"
have no time to waste on making the vendor do the right thing (since they put off what they should be doing for so long)
are looking for a way to do as little as possible, thus enjoy the fact that they can "hide" and become an "expert" at having the vendor come in and re-install s/w every 1-2 years.
Look at stuff like MS-Word/Exchange/Outlook/OE. Are there *really* many more features in each that warrant the massive recycling of s/w that most large institutions go through regularly?
It's getting just as bad with the app server markets as well. Vendors conveniently dropping support for older (their own) products (when the apps are running just fine for us) or for the OS level our stuff runs on just to have to buy new licenses (despite the fact that we do pay "maintenance" yearly).
When I compare those with personal programs like MusicMatch and Xmanager - both with lifetime licenses and very decent feature-rich updates - it's hard to let the others justify their practices.
NSI screwed up the nameserver list (for my domains) in the *global* TLDs and it took an act of allah to finally get all records in alignment for me to send my final "get me off of your stinking system"-change-registrar approval message.
Their online support was horrible.
Their live-human-phone support was about as good as trained monkey with a script and a banana.
EasyDNS folks were patient through the whole process and *know their stuff*.
The prices are really good considering it's both yearly registration fee *and* DNS.
Mail store-and-forward has been a major cool feature and their web interface is speedy and reliable (changes happen exactly when they say they will).
All questions are anwered in hours by real folks and their referral program can wind up paying your yearly fees for you if you promote them well enough.
They have *global* coverage (servers in very different locations), providing maximum uptime for your domain.
The *only* thing wrong with them is that they are Canadian... *:^)
Slashdot Mirror
that and decent mp support in openbsd...
almost no point running it on "enterprise" h/w if it can't take real advantage of the scads of processors most places put in a single box.
If you want more info on GIS with some decent links (including s/w that runs on linux and Java applications) to relevant examples, check out this article at dailywireless.org.
It's a good page to start from if the IBM article feels a bit dry.
- the developers (h/w and s/w) lack basic systems design skills
- there is no real project management
A big reason projects like mozilla or even openzaurus are so successful is that no one is afraid to test the crap out of them since folks can only benefit if bugs are found and addressed. The developers (or their management) of the voting systems and the VNS aggregator(s) apparantly cared more about getting something out rather than getting something right. (I'm still leery about e-voting/polling at all...I wouldn't be surprised if the Georgia voters got a list of candidates that included CowboyNeal *:^)I also cannot see how CNN or anyone else can have the "guts" to call races without a ton of ground troops with wireless PDAs at a huge number of polls. VNS was supposed to be that for everyone (great job last time around, eh?) and managed to strike out a second time (at least in this case, no news is far better than blatantly wrong news).
My "rant" is actually more from a corporate perspective. EAP-PEAP is not as secure as EAP-TTLS and provides no additional functionality over EAP-TTLS. EAP-TTLS is a standard and it's based on the solid foundation of EAP-TLS. Neither works well for home users unless they happen to have a full fledged authentication/authorization infrastructure in place.
/. poster with this next bit, but nothing from Microsoft is free. At home, I doubt many users are going to be able to setup a PKI infrastructure and at work (big Fortune 100) we don't use AD for PKI (why would anyone tie their PKI to M$) despite the fact that we are - primarily - a M$ shop for office stuff and Intranet stuff. We can't use open source software either (officially).
I'm risking sounding like a typical
And, finally, I'm not suggesting that M$ is trying to lock linux out. Rather, I'm suggesting that by only adopting _one_ halfway decent method of securing wireless communications that doesn't rely fully on PKI was wrong, especially when the better standard (EAP-TTLS) was available to work with. Just because Microsoft and Cisco say we should use something doesn't mean we actually should listen and follow like sheep.
Hopefully, linux (via Xsupplicant?) will support all of the EAP-subtypes making it easier to integrate into any wireless network.
Many thanks for the tip on the RG1000, tho...off to check eBay...
It's a shame they didn't open it up.
The type of control/configuration would be extremely useful here (and not just for the annoyance factor *:^) I know Cisco has some similar stuff half working, but it takes a bit to prod our network folks to [breathe|bathe|do more than watch OpenView pretty colors change].
Very cool stuff nonetheless, tho...
Cisco's implementation (since it requires a back-end server for the authentication portion) supports EAP-TLS (barely - only M$ AD as the certificate store), EAP-PEAP, EAP-MD5 and LEAP (I refuse to put EAP- in front of it anymore...it's not a standard). That's it. Nothing more. No plug-in capability on the ACS server and no API if I want to write my own module to work with another IETF standard (since I shouldn't have to rely on the *card* and *AP* to support all of the EAP subtypes).
I agree, no Win2K support really bites for those that want to use EAP-PEAP, but we're stopping all deployments until EAP-TLS (we already have a full PKI infrastructure tested rolling out next week or two) is supported with a non-M$ store. We can't afford to VPN everything (it is too expensive in a corporate environment) and EAP-PEAP is not ready for prime time. If M$ and Cisco had done the wise thing and support EAP-TTLS, we probably would have compromised since it provides a migration from username/passwords to certs.
(also, there's nothing wrong with going to meetings for the pens/shirts/cups either *:^)
But the problem even with WEP+ and TKIP (rotate the shield frequencies mr data...keep them guessing *:^) is still the *medium*. It may take 2 weeks _now_ to break keys, but we still have traffic that is weakly protected spewing out for anyone to sit and capture...and capture...and capture...and then store on cheap and reliable media...to process _later_. When quantum computing becomes a reality (and it will be much quicker than predicted) WEP+/TKIP won't help anyone. Even now, with highly distributed computing readily available, 2 weeks might be reduced to 2 days. Would you feel secure providing a switched span port RJ45 jack out of your building if it relies on RC4 for encryption?
AES is the best we've got now and is definitely better than RC4. Until all wireless connections use it (with a session/roaming scheme similar to EAP-TTLS), you had better keep your communication wrapped in ssh tunnels or IPsec VPNs.
There are some even newer IEEE (and IETF to a certain extent) proposals in the way to force authentication *before* your "device" is allowed to make its way past the physical connection (strange how this forces one to think of wireless as a physical connection - I know it is : waves/particles : but I can actually *see* the RJ45 connector and CAT5E cable *:^). *That's* when things get cool. Authenticate/authorize me before I even get the ability to sniff broadcast traffic then make sure everything thereafter is AES encrypted so even kismet and Ethereal won't even be able to watch ARPs and DHCP traffic.
Combine that with applying per-user/group ACLs that really make sure I can only go (at least initially) where I should and we start to have full-port security.
That might be what the Cabletron/Enterasys solution is...I need to check that out if so (many thanks for the post!)
And, as far as the most vulnerable part of the LAN goes: it's the end-user with a M$ workstation.
EAP-LEAP is one of the worst attempts (after basic WEP) at developing a protocol to secure wireless communications. Better to do IPSec through a VPN than to use it.
EAP-PEAP is not just a M$/Cisco standard (but they are major backers of it). There are four/five documented security problems with PEAP, the worst of which is some nefarious individual being able to take over your roaming session with almost no effort (especially with Cisco's beta implementation). Read the RFC if you want to verify. Word of caution to all wireless freaks: PEAP is probably going to be what you'll be using to roam between 802.11b "cells" when they start popping up all over (AT&T - amongst others - has plans...big plans...). Keep your ssh tunnels at the ready if you ride those etherwaves...
EAP-TLS's major shortcoming is the reliance upon a PKI infrastructure (how many of *you* have certificates?).
The only real way out (at the moment) of the wicked mess that is wireless networking is EAP-TTLS. It has the strong security of the encrypted communications of EAP-TLS without the need for certificates for authentication and handles roaming much more securely than EAP-PEAP.
Unfortunatley, M$ and Cisco have embraced EAP-PEAP as the be-all, end-all of secure wireless communications. What we need is for some good developers to make stacks for Windows, Linux and MacOS so we can avoid being stuck in an insecure purgatory. Then again, Microsoft seems to encourage insecure wireless networks the way their interface to 802.11b networks is designed. I'm sure they (and lots of other large organizations) would love to see us use the most insecure method of wireless communications possible.
Truth-be-told, it takes a great deal of horsepower in AP's (read: buy new h/w) and also takes some back-end systems to support EAP-PEAP or EAP-TTLS, and I doubt we'll see entries from Linksys or D-Link (and if we do see all-in-one solutions from them, it's game-over for security anyway). So there won't be a big saturation in the home market (where most of the wireless $$$ are going now).
Smart Fortune 500's use VPN's on top of WEP (or the forthcoming next-gen WEP standard that rotates keys much more frequently) if they use it at all. The NIST (www.nist.gov) has all but told the government to just say "no" to wireless networks in any branch/office.
I realize the point was to make sure we have tools in Linux so we aren't left out of wireless networks that employ EAP-PEAP. I say we try to ensure folks use the best possible technology *or* support multiple EAP subtypes (since there are lots of them and they're always adding more) and employ a method of restricting types of traffic on connections that had to use weaker (or no) authentication (i.e. WEP or LEAP? - need to use VPN... PEAP/TTLS? - maybe ok enough to go ahead w/o).
netsarang.com has a pretty inexpensive, commercial (supported) X server that works the way you seem to need it to (even has ssh suppot). I've used it from Win98->2K->XP flawlessly (when not on my linux or solaris boxes). you can try it for free (and if you can put up with annoy-ware, you can just hit 'cancel' when the free trial period dialog comes up and it will still function flawlessly).
one thing your post has done is remind me of that "final" killer app - M$ Access. We've been doing a good job @ work coming up with as many alternatives to the M$ on the desktop. Before Ximian's wonderfull xchng connector, we used a whacky combo of fetchmail (with NTLM support), imap, and pine to read/send mail and do rudimentary calendaring (it can be presented by xchng as an imap folder). I can read PDF's with open source and use cool print spool hacks to make better PDF's than adobe's writer. OpenOffice/StarOffice get us by on the majority of docs and I see so little of Visio files anymore that it is no longer on the 'killer' list.
Unfortunately, we have a few Excel spreadsheets that neither "Office" likes (*why* do folks insist on creating Excel *databases*!). those users that got a bit smarter made access db's (which I don't need to use frequenetly and - hence - forgot about) - *without* a SQL back-end! - and there's little we can do do mitigate that.
just when i thought our work was almost done...
A wireless web server was s/w task #3 on my new Zaurus. Way no-brainer. (and I bet my linux-native, developer Zaurus/wireless combo was cheaper than the crappy IPaq one...and my battery death won't cause me to have the unit shipped back to home base for repair).
maybe timothy is just having a bad day. or dreaming [see http://www.monkey.org/~timothy/ @ end of page)...
i'm replying from it now.
it syncs w/my outlook.
it works with my linksys cf very well.
kbd is very cool.
opera isn't bad.
the reviewr is on crack.
phew!
/., leaving us with no Manager's Day specials!
I was getting worried that "corporate America" really did take over
Really good one, guys!
actually, it's not Linux-based.
it's BSD-based running a bastardized version of squid and probably one of the worst WCCP-enabled transparent proxies on the market (we use them, or rather, *try* to use them to handle 30 million URLs a day and they are less than desirable).
their disk (read: hardware that actually enables caching) subsystem is horrible; whatever they did to BSD to make the DNS lookups bite is also a mystery.
also, they managed to slap an IOS-like interface (or a crappy web-interface) onto something that was far more robust initially and then proceed to limit what you can do with the power of squid.
they:
- don't handle authentication well
- don't consistently obey the caching rules
of http-retrieved objects
- only intercept what they are told to, so
port 80 can be transparent, but sites on
high ports or "weird" ports go streaming
by
the list is longer, but i feel better now. *:^)
Cisco Crash^H^HpEngines are best used as doorstops. Keep them out of my network.
I'm not suggesting all methods of transparent proxying are bad, but definitely stay away from this one...
I'll take a look. Does it import/export Visio files? That would be the key for it to be a replacement.
thx!
A pasted translation from the German page above quickly points out that Sun is doing it so they can provide a supported product to businesses.
I can confirm that my organization (Fortune 100) didn't give StarOffice a first look because it was "free". They don't trust free s/w and need to hold someone accountable if there are problems (I should point out that we don't really hold M$ accountable for much, but the exec$ feel goo about the possibility of maybe being able to hopefully do so if there are really, really, major problems).
I can also confirm that we would like to save megabuck$ and provide some productivity suite competition so we can stop getting royally soaked by mr gates & co.
And I can confirm that other large organizations expressed the same feelings directly to Sun (with us).
HOWEVER, Visio is the "killer app" that will stop us from using StarOffice. Without a Visio-killer (open source or otherwise), M$ will continue to dominate. Buying Visio was a very strategic move on Redmond's part and it will prevent alot of places from switching since they would be fearful that it would not "integrate" properly with StarOffice (ever try to embed a complex Visio diagram in a Word file? there are integration problems enough within the suite, let alone outside of it).
So, Sun will make some money in the small-to-medium sized orgs, but M$ will continue to rake in the dough from the big boyz.
For large organizations who (like mine) made a $50mil investment in moving to J2EE applications as a corporate standard, the Sun stamp of approval is absolutely necessary.
Personally, I'll take Tomcat/Catalina + MySQL + Velocity + PoolMan over most Java app servers, and only feel that J2EE benefits extremely large apps with the need to connect to legacy systems.
If the open source community starts to shun Java because of what Sun is doing, it will leave a huge hole and kill the momentum that has built up over the past 5 years or so.
How many of us Java developers began web-development by downloading Tomcat? How many of us love Struts and Velocity and don't want to lock our skillsets into proprietary solutions from BEA or IBM?
Sun needs to draw then walk a fine line between keeping the major app server purveyors happy while keeping the playing field open for those of us who want to use the technology, but don't have $50K handy for a single CPU license.
this lawsuit is another nail in the coffins of major networks and broadcasters.
i'm looking forward to the day when I can *order* exactly what show(s) i want (ad-[mostly]-free), have it stored digitally and be able to view it/them whenever i want (for whatever period of time is reasonable). this way, selecting by "genre" or "title" will be a "feature" and "service".
smaller production shops might even be able to schlep out stuff on their own w/o the need to suck up to the big boyz.
$40-$100/month for cable/satellite access for the crap that's on most of the channels is absolutely insane. yes, the PVr's help sift through some of this, but i don't think going the extra step of pay-per-show will hurt PVR's, just make them more useful.
it will also get rid of alot of worthless airtime and perhaps generate even better programmes.
*anything* 802.11*a* wireless...
maybe a new iMac too *:^)
This hurts folks who want to learn on "cheap" h/w, but you can get a Sun Blade 64-bit workstation for $999 that runs the SPARC version of Solaris, so there are options for developers and those who want to "learn" Solaris and e-Bay is full of old SPARCs that are *very* indexpensive.
Solaris x86 was a dog on uniprocessor systems and multi-processor boxes aren't worth the cost when you can get a decent SPARC *blade* system for $999 and have 64-bit processing power.
IA-64 is still far off, and you can bet that Sun will be there when that technology is actually released and more mature since they *have* to compete with M$, IBM and HPaQ on enterprise turf where dumb suits and admins think of "plug" when they hear "spark".
As a Solaris daily user, I'd rather run Linux or QNX on PC h/w than Solaris anyway. Better updates to match h/w advances along with solid performance on single-chip boxes.
Jackson had no option. It had to be spectacular.
I'm T-3.25 hours from taking my daughter and 9 of her closest high school friends to the opening for her birthday.
Her cake will have LOTR mini-action figures.
Her presents are all (mostly) themed to LOTR.
She's getting the BBC recordings for Christmas.
She fell in love with "There And Back Again" when she was small. She became enthralled with LOTR when in high school; and she has lived in middle earth since she read the Silmarillion.
For my daughter's sake (and for mine! *:^) I hope he really did measure up as well as our benevolent Cmdr said (I have little doubt that it trulyh will be spectacular).
Ans as for those who remark about spoilers: yes, the story is old and known, but the unknowns are what Jackson & co. modified/whacked -- no T.B., Arewen is a jock, and tons of other small things that will hopefully be overshadowed by a remarkable performance by a very decent cast. I just hope I survive the gaggle of teenagers.
"For the Shire!"
I thankfully have DSL via a regional ISP who doesn't block port 80 inbound or VPN traffic (it doesn't block any traffic). The philosophy is: I contracted to have 'n' amount of bandwidth and I should be allowed to use it however I wish, provided I'm not disrupting other serivces or hacking.
Suppose they did block VPN? The SSH questions are relevant since my company has a VPN solution, but it is *much* more convenient to setup one-or-more SSH tunnels and get access that way. SSH is reasonable traffic (especially if you're accessing Net CVS resources, distance-learning university accounts, or wrapping access to IMAP/POP/etc servers). If they block SSH (port 22) use it on a different port! It they look for SSH protocol traffic, use stunnel! There are always alternatives.
If you signed a metered bandwidth contract on what you thought was a full-speed DSL/Cable line, then shame on you.
We saw this coming. For these types of dumb ISP's, we sign up our employees on "business" DSL or Cable. It costs more than residential, but it's still cheaper than setting up/maintaining regional modem banks or contracting with a large telco to have them do the dial-up and lease pipes back.
Still, the tunnel is the best backdoor approach (to get around ISP stupidity and corporate security!)
I'm not saying that there should *never* be a case for s/w upgrades, but there needs to be some level of professionalism on the vendor's part in terms of *timeframe* on "required" re-licensing/re-puchasing.
It is as unreasonable to expect the vendor to support 4 year old s/w as it is to have to re-purchase/re-license s/w every year. Our h/w is on a 3-year lifecycle, and I'm thinking that it would not be unreasonable to expect the same from s/w. *Most* vendors _are_ reasonable this way (case in point: to their credit, MS has supported Windows 95 for 6-7 years, which is an unsupportable OS by any standard from the start! *:^); it's the ones who aren't that pave the way for future stupidity.
Now, we're big enough not to have gotten nailed by the recent (bad) Microsoft licensing (OS&Office) extortion, but there are many companies (on and below the Fortune 500 list) who weren't so fortunate/adept. They were forced to pay for software they won't even be using just to save money in the long run. It's like me paying the dealer for my next car while still driving my old one and not possessing the new one.
To the main, referenced article's subject: were there really major enhancements to the way the various virus checkers grabbed bytes from the incoming files and compared them to the (hopefully) regularly updated sig files? Doubtful. The "security" companies are capitalizing on the fears and "necessities" of the times. It's plain wrong.
Third party support would have worked if the dot-com bust hadn't happened. Now, we look to large, slow, red-tape-ridden companies so we can be sure they will be there a year from now. The support will rot, they'll produce inferior products as time goes by, and our IT staff will revel in the amount of time they have to d/l holiday screen savers and send AOL IM messages while the consultants come in and re-install, re-install, re-install...
The s/w vendors know we (and others like us):
Look at stuff like MS-Word/Exchange/Outlook/OE. Are there *really* many more features in each that warrant the massive recycling of s/w that most large institutions go through regularly?
It's getting just as bad with the app server markets as well. Vendors conveniently dropping support for older (their own) products (when the apps are running just fine for us) or for the OS level our stuff runs on just to have to buy new licenses (despite the fact that we do pay "maintenance" yearly).
When I compare those with personal programs like MusicMatch and Xmanager - both with lifetime licenses and very decent feature-rich updates - it's hard to let the others justify their practices.
NSI screwed up the nameserver list (for my domains) in the *global* TLDs and it took an act of allah to finally get all records in alignment for me to send my final "get me off of your stinking system"-change-registrar approval message.
Their online support was horrible.
Their live-human-phone support was about as good as trained monkey with a script and a banana.
EasyDNS folks were patient through the whole process and *know their stuff*.
The prices are really good considering it's both yearly registration fee *and* DNS.
Mail store-and-forward has been a major cool feature and their web interface is speedy and reliable (changes happen exactly when they say they will).
All questions are anwered in hours by real folks and their referral program can wind up paying your yearly fees for you if you promote them well enough.
They have *global* coverage (servers in very different locations), providing maximum uptime for your domain.
The *only* thing wrong with them is that they are Canadian... *:^)
NSI needs to go the way of the dinosaur...