No, what he writes is pointless because it's based on a tenditious redefinition of the word "free". Yes, "free" means zero cost, but it also means freedom. Gratis AND libre. Bertie discards the libre meaning. How could you hope to make sense from that hash? -russ
Bertie also confuses commercial software with proprietary software. Redhat Linux is commercial software. They charge money for it. Nobody's upset with Redhat because they charge money for their distribution. Some people are upset because Redhat has too much market share. Some are upset because they think Redhat is technically flawed. In spite of this, Bertrand says that free software people hate commercial software. That's nonsense on stilts! -russ
Whether Open Source has zero cost or not is totally besides the question. When the cost is zero, it is an artifact of the freedom to redistribute the code. Bertrand TOTALLY misses the point behind the Open Source movement: it is the ability to modify and/or redistribute the code that brings the community its power. -russ
I know one possible reason for why Borland says this:
Nothing in this license statement permits you to derive the source code of files that Borland has provided to you in executable form only, or to reproduce, modify, use, or distribute the source code of such files.
Because, back in 1987 or thereabouts, the Borland C library had a bug. I reverse-engineered their source (for all memory modules), fixed the bug, posted it to the net, and sent it to them. They sent me a demand letter demanding that I stop distributing their source code. Hehe. Not theirs, mine!! Still, they wanted to stop people from fixing bugs in their software, so they now have this in their license. -russ
Your reply is off-topic. The author of the story asked will it see our beloved OSs lose their open-source vision and simply become the new medium for commercial software?"
I answered his question. You are responding to something I never said. -russ
Who cares if proprietary software (even if zero-cost) switches from proprietary operating systems to open-source operating systems? Who could be harmed by this? -russ
Who was talking about NAT? I'm suggesting that you run your public services on a public IP address and your private services on a non-routable private IP address.
The use of a firewall in itself offers little if any security!
Cool. Does it make me more correct if I use boldface?
And yes, geez, if you have one compromised host it can lead to other hosts being compromised. Should that surprise anyone? -russ
Imagine what a well-trained terrorist group could do with plastic explosives.
Oops, they already have. And we seem to have lived through it. There's a limit to the number of people desperate enough to take such chances with their lives.
If we can't keep crypto from being exported, how are we going to keep nanotech secret? It seems like we can only get rid of the *fantastic* risks of nanotech by giving up the *fantastic* benefits. That's a high cost. -russ
Technology solves problems. So, to ask the question "Is technology always good?" is to ask the question "Are there some problems for which the solution is worse than the problem?" If the problem has externalities that cannot be turned into private property, then perhaps the question is yes. But first you have to try to turn the externalities into private property. -russ
It's a simple fact that more Linux expertise is available because more people are running Linux. How is it a troll to recognize this fact in public? Sheesh, some moderators are biased. -russ
No, I'm not trolling. I haven't seen an rationale for a firewall which is any better than "Well, we're too stupid and lazy to lock down N Unix hosts, so we're going to lock down one. Somehow we will become less stupid and lazy because there is only one machine."
If I can secure a firewall that I control, then I can secure a firewall that I control.
If X then X is true every time, but it's not much of an argument for a firewall.
I can't prevent the group behind the firewall from introducing vulnerabilities on their side of the street
If they're in public services, you're toast *anyway*, because your firewall is letting those services through. If they're in private services, then why for God's sake did you bind them to a public IP address???
Most of the things that people are using firewalls to protect against can be solved by using non-routable IP addresses and some small amount of filtering on your router. -russ
It's not that I'm a god. It's just that I've seen firewalls and the machines behind them, and I'm unimpressed by the way they work, and I'm unimpressed by the arguments for them.
Why isn't your router blocking traffic with an unroutable source address?
You mean they build insecure boxes and then put them on the net? Why did they waste their time? -russ
Machines are cheaper than people. It's easier to configure N+1 machines all the same than to configure N machines one way and one machine a different way.
Not ignoring, just forgetting to dispense with it as an issue. -russ
1) Several people have asserted that a firewall somehow magically has more resources to deal with an attack. Sorry, no. If you have N+1 hosts, calling the one a firewall doesn't create more resources to deal with an attack.
2) A firewall breaks the end-to-end communication paradigm of the Internet. The idea is that you place smarts in the middle. Sorry, no. Hosts should communicate with hosts, not with intermediaries.
3) C'mon, you're running Unix, stop acting so helpless. If you can secure a Unix firewall, you can secure a Unix server. This is not rocket science. If you have to communicate with a service that you don't want to expose to the world, you bind it to a private IP address on NET10.
4) More often than not, a firewall is used to hide insecure hosts, and then people laughably call it "security in depth".
the only thing that allows your other boxes to work at all, since anything you want to do as a webhost is inherently insecure.
Exactly my point. You're exposing your weakest service. How does a firewall increase your security when you're giving away the farm? And as Slashdot proved, it's a single point of failure. -russ
You have N servers plus one firewall. All told, N+1 hosts have the horsepower to deal with the traffic. You just agreed to that, right? So why is life any easier just because one of the machines is configured as a firewall? -russ
You can't invent more CPU speed by dedicating one machine to filtering packets. The same amount of CPU speed could be used to serve pages.
What services does a slashdot server need to expose? ssh, qmail, http, mysql. The first two are trusted services, the third you're exposing to everyone so it had better be secure anyway. It's only the fourth that isn't necessarily trustworthy. -russ
No, what he writes is pointless because it's based on a tenditious redefinition of the word "free". Yes, "free" means zero cost, but it also means freedom. Gratis AND libre. Bertie discards the libre meaning. How could you hope to make sense from that hash?
-russ
Bertie also confuses commercial software with proprietary software. Redhat Linux is commercial software. They charge money for it. Nobody's upset with Redhat because they charge money for their distribution. Some people are upset because Redhat has too much market share. Some are upset because they think Redhat is technically flawed. In spite of this, Bertrand says that free software people hate commercial software. That's nonsense on stilts!
-russ
Whether Open Source has zero cost or not is totally besides the question. When the cost is zero, it is an artifact of the freedom to redistribute the code. Bertrand TOTALLY misses the point behind the Open Source movement: it is the ability to modify and/or redistribute the code that brings the community its power.
-russ
I know one possible reason for why Borland says this:
Nothing in this license statement permits you to derive the source code of files that Borland has provided to you in executable form only, or to reproduce, modify, use, or distribute the source code of such files.
Because, back in 1987 or thereabouts, the Borland C library had a bug. I reverse-engineered their source (for all memory modules), fixed the bug, posted it to the net, and sent it to them. They sent me a demand letter demanding that I stop distributing their source code. Hehe. Not theirs, mine!! Still, they wanted to stop people from fixing bugs in their software, so they now have this in their license.
-russ
Which operating systems forward source routed packets or tunnel packets without explicitly being configured to do that?
You say it's weak security, but you come up with a weak example of why it is.
-russ
Your reply is off-topic. The author of the story asked will it see our beloved OSs lose their open-source vision and simply become the new medium for commercial software?"
I answered his question. You are responding to something I never said.
-russ
Who cares if proprietary software (even if zero-cost) switches from proprietary operating systems to open-source operating systems? Who could be harmed by this?
-russ
Who was talking about NAT? I'm suggesting that you run your public services on a public IP address and your private services on a non-routable private IP address.
The use of a firewall in itself offers little if any security!
Cool. Does it make me more correct if I use boldface?
And yes, geez, if you have one compromised host it can lead to other hosts being compromised. Should that surprise anyone?
-russ
By the same logic:
This is Unix, get real. The logic is completely different. Arguing by analogy is, like, stupid.
I think the point is that they have one really good BSD guy. That makes BSD expertise 'more available' to Slashdot than whatever else.
You're right, that's a good point, but how does that make what I wrote a troll?
-russ
Because FreeBSD doesn't suck, it just doesn't have (tada!) as much expertise available.
-russ
bastards. Guys are bastards, girls are bitches. Sheesh!
-russ
"AI" is any technology we haven't implemented yet. A C compiler used to be AI. babelfish used to be AI. Now it's just a program.
-russ
Imagine what a well-trained terrorist group could do with plastic explosives.
Oops, they already have. And we seem to have lived through it. There's a limit to the number of people desperate enough to take such chances with their lives.
If we can't keep crypto from being exported, how are we going to keep nanotech secret? It seems like we can only get rid of the *fantastic* risks of nanotech by giving up the *fantastic* benefits. That's a high cost.
-russ
I think the argument is that anything complicated enough to be smart and creative will also make mistakes. Oops.
-russ
Technology solves problems. So, to ask the question "Is technology always good?" is to ask the question "Are there some problems for which the solution is worse than the problem?" If the problem has externalities that cannot be turned into private property, then perhaps the question is yes. But first you have to try to turn the externalities into private property.
-russ
It's a simple fact that more Linux expertise is available because more people are running Linux. How is it a troll to recognize this fact in public? Sheesh, some moderators are biased.
-russ
SYN flooding is a solved problem in modern Linux kernels. Try again.
-russ
No, I'm not trolling. I haven't seen an rationale for a firewall which is any better than "Well, we're too stupid and lazy to lock down N Unix hosts, so we're going to lock down one. Somehow we will become less stupid and lazy because there is only one machine."
If I can secure a firewall that I control, then I can secure a firewall that I control.
If X then X is true every time, but it's not much of an argument for a firewall.
I can't prevent the group behind the firewall from introducing vulnerabilities on their side of the street
If they're in public services, you're toast *anyway*, because your firewall is letting those services through. If they're in private services, then why for God's sake did you bind them to a public IP address???
Most of the things that people are using firewalls to protect against can be solved by using non-routable IP addresses and some small amount of filtering on your router.
-russ
It's not that I'm a god. It's just that I've seen firewalls and the machines behind them, and I'm unimpressed by the way they work, and I'm unimpressed by the arguments for them.
Why isn't your router blocking traffic with an unroutable source address?
You mean they build insecure boxes and then put them on the net? Why did they waste their time?
-russ
Machines are cheaper than people. It's easier to configure N+1 machines all the same than to configure N machines one way and one machine a different way.
Not ignoring, just forgetting to dispense with it as an issue.
-russ
1) Several people have asserted that a firewall somehow magically has more resources to deal with an attack. Sorry, no. If you have N+1 hosts, calling the one a firewall doesn't create more resources to deal with an attack.
2) A firewall breaks the end-to-end communication paradigm of the Internet. The idea is that you place smarts in the middle. Sorry, no. Hosts should communicate with hosts, not with intermediaries.
3) C'mon, you're running Unix, stop acting so helpless. If you can secure a Unix firewall, you can secure a Unix server. This is not rocket science. If you have to communicate with a service that you don't want to expose to the world, you bind it to a private IP address on NET10.
4) More often than not, a firewall is used to hide insecure hosts, and then people laughably call it "security in depth".
the only thing that allows your other boxes to work at all, since anything you want to do as a webhost is inherently insecure.
Exactly my point. You're exposing your weakest service. How does a firewall increase your security when you're giving away the farm? And as Slashdot proved, it's a single point of failure.
-russ
You have N servers plus one firewall. All told, N+1 hosts have the horsepower to deal with the traffic. You just agreed to that, right? So why is life any easier just because one of the machines is configured as a firewall?
-russ
You can't invent more CPU speed by dedicating one machine to filtering packets. The same amount of CPU speed could be used to serve pages.
What services does a slashdot server need to expose? ssh, qmail, http, mysql. The first two are trusted services, the third you're exposing to everyone so it had better be secure anyway. It's only the fourth that isn't necessarily trustworthy.
-russ
So that when the firewall is breached, they lose everything? Uh-uh for me.
2.If the firewall uses its CPU to deflect the crap, then the web servers wont have to deal with it.
So put the firewall into service as another server. You can't create more CPU by dedicating some of it to being a firewall.
3. They have a BSD uberadmin who can make that BSD box walk the dog. If something else wierd goes on, it'll be in his back yard.
Linux expertise is more widely available.
-russ