I have both consoles, and Xbox stuff looks A LOT better than PS2 stuff. This isn't a slanted review, it's simple truth. The PS2 is a much less capable 3-d machine.
That said, the PS2 games are better, at least for now.
They're not saying the Xbox graphics are better because of some vast underground conspiracy, they're saying that the graphics are better because they are. That's not biased reporting, that's just the simple truth.
For one thing, they're going to attack with pesticides first, which will already reduce the fly population a great deal. THEN they will release sterile flies. They're not going to release just 50% of the current population. In the article, they say 'heavily outnumbering current males'. So let's say they release 25 times as many sterile flies as there are natural ones. That will drop the reproduction rate to 4% of its current level. If they continue this treatment for two or three generations, the flies will probably drop below a viable number and die out. They reproduce very slowly compared to most insects, so they're particularly vulnerable to this kind of attack. Your statement that 'flies breed like flies' is wrong in this case; tsetse flies are unique in their breeding habits. The number of mating pairs IS the limiting factor here.
Ok, so let's grant your argument that the agency is out to leech money forever instead of completely eradicating the flies. Even so, the Africans are probably STILL better off. Damages of 4.5 billion a year on a small economy like theirs is ENORMOUS. All that wealth is destroyed every year, so it's not available to grow and make more wealth the year following. (cattle die out and don't breed, etc.) If they cut that loss to 10% of what it is now, and pay, say, 100 million dollars a year to some outfit to do this... they're WAY WAY ahead. Given 10 to 15 years of reduced losses, the impact on their standard of living should be enormous. They should then be able to pay for a better solution that gets rid of the fly completely, assuming that one exists. If not, they're still a lot better off losing $550 million a year instead of 4.5 billion. And we're a little better off too, bringing back 100 million a year (just pulling that number out of the air) that otherwise would have been destroyed. It's a great arrangement for both parties.
As an aside, I really have to complain again about the poor journalism on this story. Editors, EVERY WORD in a submission is important. That means to check ALL of them. Make sure they are accurate. The submitter changed a word ('on' replaced 'of'), perhaps deliberately, and you guys passed it through verbatim. Even if your editorial policy prevents you from correcting errors in the actual submission text, you should note the error in your own blurb below.
This is just another example of many where the lead-in to the article implied that it meant something near and dear to geek hearts everywhere, when in fact the actual article said something entirely different. This submission was heavily slanted. Doing just a little basic fact-checking before sending these things through verbatim would go a long way toward enhancing your credibility. I've seen high school newspapers handle this better.
I posted a couple years ago on this topic. My hypothesis at the time was that Open Source would show more bugs for quite some time, as people poked through the code, but would gradually settle down and become very secure. I also believed that Windows vulnerabilities would continue to be discovered at a more or less constant rate.
The jury is still out.
The SecurityFocus statistics broke in August, 2001, per their web page, so one has to extrapolate the partial 2001 total to get the projected total for the year.
In that extrapolation, one sees that the expected number of bugs (assuming the 96 reported bugs cover through the end of August) would be 144. There were 153 the year prior, which is likely well within the margin of error. In addition, many of the black hats have STOPPED REVEALING their exploits, so in fact there may be many more than what we see.
Now, it's worth pointing out that this is not necessarily a good measurement of security. We may be measuring the wrong thing.
An example of bad measurement is the one the government used to determine how many cod were left out in the ocean, to prevent overfishing. Year after year, the catches were about the same, so the government assumed that the fish stocks were constant. But suddenly there were no more fish -- the industry collapsed.
Why? Because they were measuring the wrong thing. They weren't measuring the total number of fish, they were measuring the fish that were caught. They didn't realize, as the fish stocks dwindled rapidly, that the fishers were getting newer and better technology to fish with. The total number of fish coming out of the water was constant -- but as a fraction of the total fish in the water, was going up very quickly. Eventually the fish were all but wiped out.
Measuring security by bugs reported is very similar. It may or may not reflect the number of bugs in the 'ocean'. It is an indirect measurement at best.
We need to differentiate between fish 'caught' and fish 'available'. From a security perspective, I think we are talking about TRUE security (the number of fish in the water) versus FUNCTIONAL security (the number of fish actually being caught).
Now, as security people, our goal is to reduce the fish catch as much as possible. There's two ways to do this; we can reduce the number of fish, or we can somehow control, limit, or damage the profession of fishing.
The real professonals are trying to reduce the number of fish in the water. That's the true long-term solution. But from a short-term perspective, what I care about personally is how many fish are CAUGHT. Every time they come up with a new exploit, I have to run around like a maniac patching systems.
However, the fishing analogy starts to break down, as most do eventually. Truly secure systems are still run by people, and people make mistakes. Even if the OS is perfect, the attack will often come against the weakest link, the employees. Thus, even though I would prefer to have true security, I have to argue that it isn't really necessary. The OS just has to be stronger than the other avenues of attack. ("Why are you putting on tennis shoes? You can't outrun a bear!" "I don't have to. I just have to outrun you.")
Security through obscurity, in other words, may be adequate for most uses. It slows down the rate of fish catching. If nobody discovers the bug until the next version of the OS is out, the bug is less important. The longer it takes to discover the bug, in general, the less damage it will do -- at least as long as we're on the upgrade treadmill.
But, a counter-argument to that just occurred to me: Security through obscurity may be long-term counter-productive -- making it hard to catch fish may have the effect of increasing the fish supply. Every time a fish is caught, it can't breed, and reduces the total population by that much. Likewise, in code, once a vulnerability is discovered, many related vulnerabilities may also be patched. Thus, security through obscurity may work well for a long time, but may actually be making the fundamental problem worse.
Another observation I have to add is that programmers like to create new programs. Very few of them like to audit code. New projects and programs are being added to the Open Source world at an amazing speed, and I don't think they're being stringently audited. In other words, they're adding to the fish stocks every day. There is no QA department in Open Source, and the code is getting more complex than individual people can understand anymore. I think, unless we come up with a better development method, Microsoft's ability to fund a billion dollar a year QA department is likely to reduce their fish count below that of Open Source.
So I think I will need to expand on my original hypothesis. I now believe that Open Source will probably lag behind closed source in terms of FUNCTIONAL security. In terms of TRUE security (absolute number of exploitable bugs, known or unknown) -- there's no easy way to tell. If catching fish reduces the fish supply, and if the programmers don't add too many new fish, eventually Open Source will start winning. But if Microsoft's QA department does a good job with their nets and lures, their fish supply may drop just as fast or faster. Money is definitely a good way to motivate people, and Microsoft has a lot of it.
It's also worth pointing out that even if things are getting more secure, the catch rates may be roughly constant, because presumably the crackers will get better and better, catching a higher and higher percentage of the fish. If the analogy holds, and I suspect it may, then eventually the fish stocks will be exhausted and the black hats will be very suddenly unable to crack machines anymore.
It's going to take at least five more years to know -- and twenty might be a more reaonable time frame. It took a long time to wipe out all those billions of cod. It may take just as long to wipe out the pool of security flaws.
I just installed OpenBSD 3.0 yesterday on a new firewall I am deploying. I have used prior OpenBSDs, since about 2.6, and am quite familiar with their earlier releases of ipfilter.
On the whole, from what I can see, the new pf really is better. The syntax is similar to the old (ie, very human-readable), and in some cases makes a bit more sense. I had a simple firewall up, starting from bare metal, in one hour, fifteen minutes, and that included the time to take the box apart to install a second NIC. (but not reassemble the case:-) )
I've also been working with iptables at work, as we use Linux there. I very much prefer pf; it's much cleaner and better-designed. One caveat: by default, the rules are 'backwards'. Instead of 'match first rule', pf (and also ipfilter) makes decisions on the LAST matching rule. Fortunately, you can short circuit this logic by using the 'quick' keyword. This restores the 'first match' logic that I prefer. The 'last match' method seems both backwards and harder to maintain.
Honestly, I can't imagine why you'd want OpenBSD with ipfilter anymore; the new packet filter is better than the old one, a little easier to set up, and integrated in the core OS. The one argument I'd have for ipfilter is that it's more mature and tested. However, from what I can see, pf is a better solution. Better still, it's written by paranoid security nuts... I imagine the shakedown period on pf will be much much shorter than with most new code.
I must admit that I had some trepidation about the transition, as I liked ipfilter very much. I'm pleased to report that the replacement appears better than the original.:-)
no, it's worse than that....
on
Browsing Alone
·
· Score: 1
Good idea, but you drew the wrong conclusion. Obviously, the steady rise in stock prices is causing you to age.
Fortunately, you should have gotten younger last year.:-)
The problem with all these billions of dollars that were used up and wasted on building these online businesses is this: that money was not available to build more productive things.... like, say, power plants in California. And nearly all the money spent was to build unprofitable businesses that encouraged consumption. Despite what McTeer claims (if everyone would just join hands and buy an SUV), economies and wealth do not improve purely from consumption.
Basically: you cannot waste money in that magnitude without having a bad effect on the economy underneath. The subsequent crash and hard times for many techies can be directly related to this foolish overspending -- too many techs were hired in a hurry, so salaries went into the stratosphere, attracting many people into technology that would not otherwise have gone there. Now, there are too many techs, the unemployment rate is high, and salaries are dropping fast.
So, if you're a techie, you should be at least a little bit pissed about the 'stupid venture capitalists'. That money you saved on DVDs, etc. will be deducted from future paychecks.:\
Right now I'm pulling email through an AT&T Worldnet account. They're pretty cool, actually -- they allow remote access from anywhere, if you turn that setting on *from within their network*. You can't make changes to your account unless you're dialed into their systems. And they have dialups all over the world.
They also ONLY do encrypted mail; you can't do regular POP3, only encrypted. (I think it's over SSL, but I'd have to go review my settings and I'm too lazy to do that now.:-) ) Personally, I think that's very cool; force the user to spend a little bit more time setting up their client, and in exchange there's no cleartest mail going to or from their systems. Admittedly, AT&T can't control what other ISPs do, and in many cases the mail will be unencrypted during transit, but at least they're doing the part that's under their control RIGHT. If enough providers did that, email would be a lot more secure.
It seems really weird that att.net and attbi.com don't talk to each other. Sounds like att.net has it a hell of a lot more together.
The first one I got didn't work. The little green ring flashed orange/red instead. I could eject and insert DVDs, but nothing much happened. Orange/red wasn't listed in the error codes section of the manual, so I have no idea what was actually wrong.
Fortunately, I had bought an extended warranty on it, because of the hard drive. I almost never buy those, but in this case I did. Circuit City tried to tell me to call Microsoft but I got rather upset about that; the warranty I'd bought said that THEY handled it, not Microsoft. So after a minute or two they backed off. They didn't have any in stock, but they held one for me out of the next shipment and I returned it then.
New one works great. Halo is awesome, particularly on component video! It really makes the PS2 games, even the new great ones, look kinda pale and low-tech in comparison. I'm not a religious zealot: I have all three consoles. PS2 has the best games right now, but XBox looks far better than either of the other two. Given some time to develop I suspect it is the strongest of the three. I just wish the controllers were a little smaller. I prefer the ones on the GC.
And Halo really needed a mouse; crippling it to work on the dual-analog sticks was a real shame. I hate when politics ("The Xbox is not a PC!") gets in the way of the best solution.
The oversubscription that the phone companies do is perfectly legitimate because phones WORK. Except in emergencies, when was the last time you picked up a phone and DIDN'T get a dial tone?
Obviously, during major crises the system gets overloaded, but I find that quite acceptable personally.
This is entirely different from the ISP method of oversubscribing, where often things DO NOT work -- in fact sometimes you can even say 'usually don't work'.
Give me dial-tone reliability -- ie, deliver exactly what you promise to deliver -- and you can do any goddamn thing you want on the backend. If you have trained monkeys carrying packets on bicycles, I don't care, as long as it works.
The present situation, on the other hand, is execrable.
that's not a bad analogy....
on
Freedom or Power?
·
· Score: 3, Insightful
This argument by RMS is essentially about power -- HIS power. Bill Gates wants to force you to give him money in exchange for software. RMS wants to force you to give him the source code with any software you write.
Both arguments are essentially about the person doing the arguing, not the person on the other end of the transaction.
The right to choose the license under which you will release the work you do is probably the most fundamental freedom of all. Being forced to give away source code, whether you like it or not, is essentially forced bondage.
The GPL as written is an amazing document, one that does an excellent job of balancing freedoms for all parties involved in software distribution. But it doesn't suit all purposes or all situations. Trying to force it into all transactions is an abrogation of freedoms, not an extension.
Per Red Hat's RHCE training, ReiserFS is explicitly designed for the case of extremely fast access to many small files. It also uses space more efficiently with small files than any other filesystem on Linux, because it is able to glue together the small tails of the files into shared sectors.
Example: You write a 513-byte file to a filesystem with 512-byte sectors. On other FS types, that file will take 2 sectors. On Reiser, it will take 1 sector plus change. Numerous small files of this type can have their tails packed into the same shared sector. I do not know the overhead in bytes per file, and thus don't know how many tails you can put into a given sector.
It also handles a very large number of files in the same directory well. Most other FS types have problems if you dump 10,000 files into a directory. It is my understanding that Reiser deals with this extremely well.
However, there is one drawback. If you are using LILO, the tail packing can cause you much grief. Lilo does not understand tails. It will be unable to execute its own second part or the kernel itself if either has had a tail-pack done. Thus, you should likely use a separate/boot partition, and make that partition ext2 or ext3. Alternately, you can add the 'notails' option to your/etc/fstab file to turn off tail packing. If you aren't using many small files, this will not be a huge loss.
Mandrake 8.0 came with a 2.2 kernel with ReiserFS backported. DO NOT try to use ReiserFS with any software RAID in any Linux 2.2 kernel. Make sure you update to 2.4. I believe 8.1 comes with 2.4 standard, so it shouldn't be an issue anymore with that distribution.
There have also been numerous bugfixes in the Reiser code over the 2.4 releases, so you will probably want to go with as recent a kernel as you can. Linus' 2.4 kernel tree has the reputation of being unstable, so you may want to use Alan Cox's branch until the official tree stabilizes better.
I haven't directly compared OGG and mp3, mostly because I'm very happy with the quality of the mp3 encoding.
In my own testing, the r3mix.net settings were pretty much indistinguishable from the original in terms of frequency response. I did notice some changes in spatial effects. One of my CDs in particular was affected, Deepforest 2. With the original CD playing, the sound tended to bounce all around your head when wearing headphones. After being encoded by LAME, the sound still moved some, but it was much more granular. Most of the effect was lost. However, the actual FREQUENCY RESPONSE was awesome, and the only way I could really tell the difference was by listening very intensely. It is more than adequate for normal listening.
I did these tests about a year and a half ago, on LAME 3.81, and apparently it has improved quite a bit since. That team respects the r3mix site enough that they actually added in an '--r3mix' command line switch to implement all of their suggested settings at once. Apparently LAME now keeps more of the original signal; it's not quite so enthusiastic about assuming you can't hear certain kinds of noise. I'm hopeful this may have fixed the encoding issues I had with the earlier version.
Basically, given the fact that he has tons of space available, and given that there's all sorts of portable MP3 players in the world, I think he may still be happiest with MP3. I certainly am.
Equipment used: Non-golden ears, but decent ones. Soundblaster Live Platinum 5.1 (which has some frequency response issues with REAL audiophiles), Sennheiser HD 580 headphones for 'real' listening, Midiland S2 4100s (the older 2 speaker model) for casual music and gaming.
Aside: The 580s are AWESOME headphones, and you can often get them very cheap at auction. I got mine about two years ago for about $125. They have a reputation of having flaky connections. Mine did indeed have a problem when I first got them, which I solved simply by removing and replugging the wire in the bottom of the headphone. They are fully modular, easy to disassemble and clean, and sound INCREDIBLE. Two downsides: they really need an amplified headphone jack to reach their true potential, and they are big headphones. They're very comfortable but large.
Aside on the early model Midilands: great quality speakers, dismal amp. Hissy at any volume. Someday I'll move the way-cool little satellites onto a real amplifier, and will toss the subwoofer/amp in the trash.
I just went and looked -- they're $900 or so, and $70 for the 33gb tapes. I'm sure I got my unit for less than that, so you might look around a bit. I like mine a lot.
They're a little pricey, but I'm fond of the Ecrix VXA-1 tape drives. I have only used them on a personal basis, I haven't run them for any kind of SERIOUS backing-up, but I've been quite pleased so far. They're fast and hold a lot of data, and haven't dropped a byte on restores or compares. They remind me of DLT tapes, but they're not so goddamn expensive.
Last I checked they were about $700 for the drive, and about $30 per tape. 33GB true capacity, 60GB or so with hardware compression.
For those of you running big installations with DLTs, you might check out an eval unit and do some searching to see if they are as reliable as claimed. (have worked well for me, but I'm only backing up a few machines.) They seem very promising.
I was an Amiga zealot from way, way back -- had an A1000 on Christmas Day, 1985. (well, my parents did, but it was almost the same thing.:) ) And I despise Apple and will never give them a dollar that's under my control if I have any way to stop it.
That said, they WERE amazingly innovative. Remember, these are the people that *invented the laser printer*. That was actually a more impressive feat of engineering than the Mac was -- the laser printer attached to many Macs was more powerful than the computer itself!
You can point at almost any manufacturing company on the planet and say 'you didn't innovate feature X, you just used new parts by your supplier Y'. I believe that this is an unimportant argument. Surely one wouldn't expect Apple, who specialized in making PCs, to be creating new serial interfaces like Firewire from scratch. Instead, that is for specialist companies, which will then be bought out or start licensing their technology to more general-purpose ones. There's not a PC maker on the planet that is really 'innovative' anymore, not even Compaq. Everyone just takes boxes of off-the-shelf parts and assembles them in different configurations based on what users want.
By that measure, for many years Apple was leaps and bounds ahead in innovation. For years, they saw the interesting new technologies long before the PC market did, and integrated them and had them in shipping computers very quickly.
As an example, few, if any, PC manufacturers would have taken the risk to implement USB if they were designing their own motherboards -- nearly all of them license from specialists, though, and that is why most PCs now have USB. (it's only in the last year or so that the USB port has become useful, and it was largely the (otherwise horrid) iMAC that caused that to happen.) But Apple makes its own motherboards, and because of that they can implement new features sooner than the PC market generally can. Expecting them to design entirely new features completely out of thin air is a bit unrealistic -- they can't out-think the entire world. Why not just take what the world has invented and make it WORK?
Of course, I suppose you could argue by the same term that Microsoft is innovative -- because they buy the products of specialist companies and integrate them. However, I don't feel this applies in quite the same way -- Microsoft is in the business of writing software, and if they were really innovative they'd be coming up with new forms of software by themselves. Apple is more of a 'systems assembler' sort of company (admittedly with the software engineer hat as well) -- so their form of 'innovative' isn't quite the same as Microsoft's.
Even judged, though, from this lowered standard, they don't seem to have done much of import in the last four or five years. Actually, as far as I can tell, their innovation pretty much stopped dead after Jobs took back over... the high point has been 'colored computers'. OSX may be interesting but I think it's going to take some more proving out first.
Amelio was doing a much better job, IMO. He thought of the customer first and not Apple. If he had been allowed to stay in charge, Apple would likely have had hard times for about as long as they have -- maybe worse. But I think at this point the Macintosh would be a vibrant, healthy computing platform with lots of little garage shops making lots of money selling different expansions and attachments, much like all computers had in the 1980s. Instead, it is a mostly-stagnant, mummified architecture with few signs of life beyond snazzy new paint jobs.
I suspect that the Mac will need to show rousing success with OS X within the next 18-24 months, or become permanently irrelevant.
I thought that it was because I have abused the keyboard a bit, but my e's are repeating sometimes now. Might be a design flaw.
Also, one thing I forgot to mention is that the shift gets 'stuck' sometimes. It always has from the time I first had the keyboard. I have gotten so used to it that I have forgotten it, but it does still irritate me sometimes. Apparently this is not normal behavior and Kinesis offered to fix it for free, but I never bothered to send it in to them.
Your other comments are quite accurate. I also keep a 'normal' keyboard around for the games that don't remap keys well.
It strikes me that experience is the best thing of all to have, but the quality of your experience will be much heightened by getting a degree, preferably a master's or even a PhD, in computer programming. And go to a good school to get it, like UC Davis.
There are a lot of geeks in the industry who have gotten by on sheer brainpower. But no matter how smart you are, people that make you look flatly stupid have spent a lot of time thinking about basic computer theory and problem sets. They won't have been solving your exact problem, but they will certainly have developed techniques you can use.
Now, this isn't to say that degrees are the ONLY way to get the advanced knowledge. If you are smart enough, you can certainly do it on your own without ever setting foot in a classroom. But there is a HUGE amount to know. Whatever your approach (formal or informal) you will need to spend a LOT of time and effort studying basic theory and practicing implementations.... and endless, endless hours writing code.
There was an earlier article today about the use of LISP in the real world. Go read that article -- that guy knows what the hell he is talking about and will give you a pointer down the right road.
The general standards of intellectual excellence were much higher in the 1950s and 1960s. MAKE SURE you expose yourself to the thinking from that time. Our standards have dropped enormously and most people aren't even aware of it.
Remember, the only effective difference between cavemen and modern men is that we know more now. They were just as smart as we were. They had every bit as much basic brainpower. But they didn't have any knowledge -- they had no way to leverage those brains.
Expose yourself to the brilliant, brilliant work that has preceded you. Even if this doesn't make your actual code writing any better, it will give you a peek into a universe of problems that are enormously more interesting than connecting a web site to a SQL server.
Based on recommendations from a prior Slashdot article, I bought a Kinesis Ergo. At the time they were in Fry's for about $200 (the cheapest model). Fry's doesn't seem to have them anymore; you may have to order them from Kinesis.
The Ergo is shaped like a Microsoft Ergo keyboard in reverse; instead of a RAISED section for each hand, it has two SUNKEN sections, a bit like you took an ice cream scoop to a regular keyboard. Each key is at a slightly different angle and height. This makes it very difficult to type on at first. It took me probably about a week and a half before I was back up to acceptable speed with it, and probably most of a month before I was back to 100%. But, I kept improving -- the design of the keyboard makes it easy to feel mistakes. At this point, I make fewer typos, type faster, and experience much less wrist discomfort. It is a thoroughly superior solution. And I have no problem at all switching between standard 'flatties' and the Ergo. I don't even notice it.
I bought mine two years ago. At the time they still all used the older, large keyboard plug. I don't know whether or not they have been updated.... if not, you will need an adapter cable to use it with any machine that is less than 3 years old.
Yes, $200 is a lot to spend on a keyboard, but it's a lot less than it costs to fix your wrists. And these seem very well built.
Slashdot Mirror
I have both consoles, and Xbox stuff looks A LOT better than PS2 stuff. This isn't a slanted review, it's simple truth. The PS2 is a much less capable 3-d machine.
That said, the PS2 games are better, at least for now.
They're not saying the Xbox graphics are better because of some vast underground conspiracy, they're saying that the graphics are better because they are. That's not biased reporting, that's just the simple truth.
For one thing, they're going to attack with pesticides first, which will already reduce the fly population a great deal. THEN they will release sterile flies. They're not going to release just 50% of the current population. In the article, they say 'heavily outnumbering current males'. So let's say they release 25 times as many sterile flies as there are natural ones. That will drop the reproduction rate to 4% of its current level. If they continue this treatment for two or three generations, the flies will probably drop below a viable number and die out. They reproduce very slowly compared to most insects, so they're particularly vulnerable to this kind of attack. Your statement that 'flies breed like flies' is wrong in this case; tsetse flies are unique in their breeding habits. The number of mating pairs IS the limiting factor here.
Ok, so let's grant your argument that the agency is out to leech money forever instead of completely eradicating the flies. Even so, the Africans are probably STILL better off. Damages of 4.5 billion a year on a small economy like theirs is ENORMOUS. All that wealth is destroyed every year, so it's not available to grow and make more wealth the year following. (cattle die out and don't breed, etc.) If they cut that loss to 10% of what it is now, and pay, say, 100 million dollars a year to some outfit to do this... they're WAY WAY ahead. Given 10 to 15 years of reduced losses, the impact on their standard of living should be enormous. They should then be able to pay for a better solution that gets rid of the fly completely, assuming that one exists. If not, they're still a lot better off losing $550 million a year instead of 4.5 billion. And we're a little better off too, bringing back 100 million a year (just pulling that number out of the air) that otherwise would have been destroyed. It's a great arrangement for both parties.
As an aside, I really have to complain again about the poor journalism on this story. Editors, EVERY WORD in a submission is important. That means to check ALL of them. Make sure they are accurate. The submitter changed a word ('on' replaced 'of'), perhaps deliberately, and you guys passed it through verbatim. Even if your editorial policy prevents you from correcting errors in the actual submission text, you should note the error in your own blurb below.
This is just another example of many where the lead-in to the article implied that it meant something near and dear to geek hearts everywhere, when in fact the actual article said something entirely different. This submission was heavily slanted. Doing just a little basic fact-checking before sending these things through verbatim would go a long way toward enhancing your credibility. I've seen high school newspapers handle this better.
I posted a couple years ago on this topic. My hypothesis at the time was that Open Source would show more bugs for quite some time, as people poked through the code, but would gradually settle down and become very secure. I also believed that Windows vulnerabilities would continue to be discovered at a more or less constant rate.
The jury is still out.
The SecurityFocus statistics broke in August, 2001, per their web page, so one has to extrapolate the partial 2001 total to get the projected total for the year.
In that extrapolation, one sees that the expected number of bugs (assuming the 96 reported bugs cover through the end of August) would be 144. There were 153 the year prior, which is likely well within the margin of error. In addition, many of the black hats have STOPPED REVEALING their exploits, so in fact there may be many more than what we see.
Now, it's worth pointing out that this is not necessarily a good measurement of security. We may be measuring the wrong thing.
An example of bad measurement is the one the government used to determine how many cod were left out in the ocean, to prevent overfishing. Year after year, the catches were about the same, so the government assumed that the fish stocks were constant. But suddenly there were no more fish -- the industry collapsed.
Why? Because they were measuring the wrong thing. They weren't measuring the total number of fish, they were measuring the fish that were caught. They didn't realize, as the fish stocks dwindled rapidly, that the fishers were getting newer and better technology to fish with. The total number of fish coming out of the water was constant -- but as a fraction of the total fish in the water, was going up very quickly. Eventually the fish were all but wiped out.
Measuring security by bugs reported is very similar. It may or may not reflect the number of bugs in the 'ocean'. It is an indirect measurement at best.
We need to differentiate between fish 'caught' and fish 'available'. From a security perspective, I think we are talking about TRUE security (the number of fish in the water) versus FUNCTIONAL security (the number of fish actually being caught).
Now, as security people, our goal is to reduce the fish catch as much as possible. There's two ways to do this; we can reduce the number of fish, or we can somehow control, limit, or damage the profession of fishing.
The real professonals are trying to reduce the number of fish in the water. That's the true long-term solution. But from a short-term perspective, what I care about personally is how many fish are CAUGHT. Every time they come up with a new exploit, I have to run around like a maniac patching systems.
However, the fishing analogy starts to break down, as most do eventually. Truly secure systems are still run by people, and people make mistakes. Even if the OS is perfect, the attack will often come against the weakest link, the employees. Thus, even though I would prefer to have true security, I have to argue that it isn't really necessary. The OS just has to be stronger than the other avenues of attack. ("Why are you putting on tennis shoes? You can't outrun a bear!" "I don't have to. I just have to outrun you.")
Security through obscurity, in other words, may be adequate for most uses. It slows down the rate of fish catching. If nobody discovers the bug until the next version of the OS is out, the bug is less important. The longer it takes to discover the bug, in general, the less damage it will do -- at least as long as we're on the upgrade treadmill.
But, a counter-argument to that just occurred to me: Security through obscurity may be long-term counter-productive -- making it hard to catch fish may have the effect of increasing the fish supply. Every time a fish is caught, it can't breed, and reduces the total population by that much. Likewise, in code, once a vulnerability is discovered, many related vulnerabilities may also be patched. Thus, security through obscurity may work well for a long time, but may actually be making the fundamental problem worse.
Another observation I have to add is that programmers like to create new programs. Very few of them like to audit code. New projects and programs are being added to the Open Source world at an amazing speed, and I don't think they're being stringently audited. In other words, they're adding to the fish stocks every day. There is no QA department in Open Source, and the code is getting more complex than individual people can understand anymore. I think, unless we come up with a better development method, Microsoft's ability to fund a billion dollar a year QA department is likely to reduce their fish count below that of Open Source.
So I think I will need to expand on my original hypothesis. I now believe that Open Source will probably lag behind closed source in terms of FUNCTIONAL security. In terms of TRUE security (absolute number of exploitable bugs, known or unknown) -- there's no easy way to tell. If catching fish reduces the fish supply, and if the programmers don't add too many new fish, eventually Open Source will start winning. But if Microsoft's QA department does a good job with their nets and lures, their fish supply may drop just as fast or faster. Money is definitely a good way to motivate people, and Microsoft has a lot of it.
It's also worth pointing out that even if things are getting more secure, the catch rates may be roughly constant, because presumably the crackers will get better and better, catching a higher and higher percentage of the fish. If the analogy holds, and I suspect it may, then eventually the fish stocks will be exhausted and the black hats will be very suddenly unable to crack machines anymore.
It's going to take at least five more years to know -- and twenty might be a more reaonable time frame. It took a long time to wipe out all those billions of cod. It may take just as long to wipe out the pool of security flaws.
<<RON>>
My kingdom for mod points :-)
I just installed OpenBSD 3.0 yesterday on a new firewall I am deploying. I have used prior OpenBSDs, since about 2.6, and am quite familiar with their earlier releases of ipfilter.
:-) )
:-)
On the whole, from what I can see, the new pf really is better. The syntax is similar to the old (ie, very human-readable), and in some cases makes a bit more sense. I had a simple firewall up, starting from bare metal, in one hour, fifteen minutes, and that included the time to take the box apart to install a second NIC. (but not reassemble the case
I've also been working with iptables at work, as we use Linux there. I very much prefer pf; it's much cleaner and better-designed. One caveat: by default, the rules are 'backwards'. Instead of 'match first rule', pf (and also ipfilter) makes decisions on the LAST matching rule. Fortunately, you can short circuit this logic by using the 'quick' keyword. This restores the 'first match' logic that I prefer. The 'last match' method seems both backwards and harder to maintain.
Honestly, I can't imagine why you'd want OpenBSD with ipfilter anymore; the new packet filter is better than the old one, a little easier to set up, and integrated in the core OS. The one argument I'd have for ipfilter is that it's more mature and tested. However, from what I can see, pf is a better solution. Better still, it's written by paranoid security nuts... I imagine the shakedown period on pf will be much much shorter than with most new code.
I must admit that I had some trepidation about the transition, as I liked ipfilter very much. I'm pleased to report that the replacement appears better than the original.
Good idea, but you drew the wrong conclusion. Obviously, the steady rise in stock prices is causing you to age.
:-)
Fortunately, you should have gotten younger last year.
I was pretty surprised that Counterstrike had made it to a Slashback -- I knew the cheating was terrible, but didn't think there was a Linux client.
:-)
Turns out it was actually unimportant... just real life. Pfaugh.
The problem with all these billions of dollars that were used up and wasted on building these online businesses is this: that money was not available to build more productive things.... like, say, power plants in California. And nearly all the money spent was to build unprofitable businesses that encouraged consumption. Despite what McTeer claims (if everyone would just join hands and buy an SUV), economies and wealth do not improve purely from consumption.
:\
Basically: you cannot waste money in that magnitude without having a bad effect on the economy underneath. The subsequent crash and hard times for many techies can be directly related to this foolish overspending -- too many techs were hired in a hurry, so salaries went into the stratosphere, attracting many people into technology that would not otherwise have gone there. Now, there are too many techs, the unemployment rate is high, and salaries are dropping fast.
So, if you're a techie, you should be at least a little bit pissed about the 'stupid venture capitalists'. That money you saved on DVDs, etc. will be deducted from future paychecks.
Right now I'm pulling email through an AT&T Worldnet account. They're pretty cool, actually -- they allow remote access from anywhere, if you turn that setting on *from within their network*. You can't make changes to your account unless you're dialed into their systems. And they have dialups all over the world.
:-) ) Personally, I think that's very cool; force the user to spend a little bit more time setting up their client, and in exchange there's no cleartest mail going to or from their systems. Admittedly, AT&T can't control what other ISPs do, and in many cases the mail will be unencrypted during transit, but at least they're doing the part that's under their control RIGHT. If enough providers did that, email would be a lot more secure.
They also ONLY do encrypted mail; you can't do regular POP3, only encrypted. (I think it's over SSL, but I'd have to go review my settings and I'm too lazy to do that now.
It seems really weird that att.net and attbi.com don't talk to each other. Sounds like att.net has it a hell of a lot more together.
The first one I got didn't work. The little green ring flashed orange/red instead. I could eject and insert DVDs, but nothing much happened. Orange/red wasn't listed in the error codes section of the manual, so I have no idea what was actually wrong.
Fortunately, I had bought an extended warranty on it, because of the hard drive. I almost never buy those, but in this case I did. Circuit City tried to tell me to call Microsoft but I got rather upset about that; the warranty I'd bought said that THEY handled it, not Microsoft. So after a minute or two they backed off. They didn't have any in stock, but they held one for me out of the next shipment and I returned it then.
New one works great. Halo is awesome, particularly on component video! It really makes the PS2 games, even the new great ones, look kinda pale and low-tech in comparison. I'm not a religious zealot: I have all three consoles. PS2 has the best games right now, but XBox looks far better than either of the other two. Given some time to develop I suspect it is the strongest of the three. I just wish the controllers were a little smaller. I prefer the ones on the GC.
And Halo really needed a mouse; crippling it to work on the dual-analog sticks was a real shame. I hate when politics ("The Xbox is not a PC!") gets in the way of the best solution.
Grr... why do I never have mod points when I actually want them?
Interesting ideas here -- whether or not they're true, they're worth thinking about.
The oversubscription that the phone companies do is perfectly legitimate because phones WORK. Except in emergencies, when was the last time you picked up a phone and DIDN'T get a dial tone?
Obviously, during major crises the system gets overloaded, but I find that quite acceptable personally.
This is entirely different from the ISP method of oversubscribing, where often things DO NOT work -- in fact sometimes you can even say 'usually don't work'.
Give me dial-tone reliability -- ie, deliver exactly what you promise to deliver -- and you can do any goddamn thing you want on the backend. If you have trained monkeys carrying packets on bicycles, I don't care, as long as it works.
The present situation, on the other hand, is execrable.
This argument by RMS is essentially about power -- HIS power. Bill Gates wants to force you to give him money in exchange for software. RMS wants to force you to give him the source code with any software you write.
Both arguments are essentially about the person doing the arguing, not the person on the other end of the transaction.
The right to choose the license under which you will release the work you do is probably the most fundamental freedom of all. Being forced to give away source code, whether you like it or not, is essentially forced bondage.
The GPL as written is an amazing document, one that does an excellent job of balancing freedoms for all parties involved in software distribution. But it doesn't suit all purposes or all situations. Trying to force it into all transactions is an abrogation of freedoms, not an extension.
Per Red Hat's RHCE training, ReiserFS is explicitly designed for the case of extremely fast access to many small files. It also uses space more efficiently with small files than any other filesystem on Linux, because it is able to glue together the small tails of the files into shared sectors.
/boot partition, and make that partition ext2 or ext3. Alternately, you can add the 'notails' option to your /etc/fstab file to turn off tail packing. If you aren't using many small files, this will not be a huge loss.
Example: You write a 513-byte file to a filesystem with 512-byte sectors. On other FS types, that file will take 2 sectors. On Reiser, it will take 1 sector plus change. Numerous small files of this type can have their tails packed into the same shared sector. I do not know the overhead in bytes per file, and thus don't know how many tails you can put into a given sector.
It also handles a very large number of files in the same directory well. Most other FS types have problems if you dump 10,000 files into a directory. It is my understanding that Reiser deals with this extremely well.
However, there is one drawback. If you are using LILO, the tail packing can cause you much grief. Lilo does not understand tails. It will be unable to execute its own second part or the kernel itself if either has had a tail-pack done. Thus, you should likely use a separate
Mandrake 8.0 came with a 2.2 kernel with ReiserFS backported. DO NOT try to use ReiserFS with any software RAID in any Linux 2.2 kernel. Make sure you update to 2.4. I believe 8.1 comes with 2.4 standard, so it shouldn't be an issue anymore with that distribution.
There have also been numerous bugfixes in the Reiser code over the 2.4 releases, so you will probably want to go with as recent a kernel as you can. Linus' 2.4 kernel tree has the reputation of being unstable, so you may want to use Alan Cox's branch until the official tree stabilizes better.
I haven't directly compared OGG and mp3, mostly because I'm very happy with the quality of the mp3 encoding.
In my own testing, the r3mix.net settings were pretty much indistinguishable from the original in terms of frequency response. I did notice some changes in spatial effects. One of my CDs in particular was affected, Deepforest 2. With the original CD playing, the sound tended to bounce all around your head when wearing headphones. After being encoded by LAME, the sound still moved some, but it was much more granular. Most of the effect was lost. However, the actual FREQUENCY RESPONSE was awesome, and the only way I could really tell the difference was by listening very intensely. It is more than adequate for normal listening.
I did these tests about a year and a half ago, on LAME 3.81, and apparently it has improved quite a bit since. That team respects the r3mix site enough that they actually added in an '--r3mix' command line switch to implement all of their suggested settings at once. Apparently LAME now keeps more of the original signal; it's not quite so enthusiastic about assuming you can't hear certain kinds of noise. I'm hopeful this may have fixed the encoding issues I had with the earlier version.
Basically, given the fact that he has tons of space available, and given that there's all sorts of portable MP3 players in the world, I think he may still be happiest with MP3. I certainly am.
Equipment used: Non-golden ears, but decent ones. Soundblaster Live Platinum 5.1 (which has some frequency response issues with REAL audiophiles), Sennheiser HD 580 headphones for 'real' listening, Midiland S2 4100s (the older 2 speaker model) for casual music and gaming.
Aside: The 580s are AWESOME headphones, and you can often get them very cheap at auction. I got mine about two years ago for about $125. They have a reputation of having flaky connections. Mine did indeed have a problem when I first got them, which I solved simply by removing and replugging the wire in the bottom of the headphone. They are fully modular, easy to disassemble and clean, and sound INCREDIBLE. Two downsides: they really need an amplified headphone jack to reach their true potential, and they are big headphones. They're very comfortable but large.
Aside on the early model Midilands: great quality speakers, dismal amp. Hissy at any volume. Someday I'll move the way-cool little satellites onto a real amplifier, and will toss the subwoofer/amp in the trash.
I just went and looked -- they're $900 or so, and $70 for the 33gb tapes. I'm sure I got my unit for less than that, so you might look around a bit. I like mine a lot.
They're a little pricey, but I'm fond of the Ecrix VXA-1 tape drives. I have only used them on a personal basis, I haven't run them for any kind of SERIOUS backing-up, but I've been quite pleased so far. They're fast and hold a lot of data, and haven't dropped a byte on restores or compares. They remind me of DLT tapes, but they're not so goddamn expensive.
Last I checked they were about $700 for the drive, and about $30 per tape. 33GB true capacity, 60GB or so with hardware compression.
For those of you running big installations with DLTs, you might check out an eval unit and do some searching to see if they are as reliable as claimed. (have worked well for me, but I'm only backing up a few machines.) They seem very promising.
Anyone who would install a binary off USENET is too stupid to live. :-)
Of COURSE I would pick the one technology they DID invent. *chuckle* I must have known that on some level. Darn subconscious.
:-)
Oh well
I was an Amiga zealot from way, way back -- had an A1000 on Christmas Day, 1985. (well, my parents did, but it was almost the same thing. :) ) And I despise Apple and will never give them a dollar that's under my control if I have any way to stop it.
That said, they WERE amazingly innovative. Remember, these are the people that *invented the laser printer*. That was actually a more impressive feat of engineering than the Mac was -- the laser printer attached to many Macs was more powerful than the computer itself!
You can point at almost any manufacturing company on the planet and say 'you didn't innovate feature X, you just used new parts by your supplier Y'. I believe that this is an unimportant argument. Surely one wouldn't expect Apple, who specialized in making PCs, to be creating new serial interfaces like Firewire from scratch. Instead, that is for specialist companies, which will then be bought out or start licensing their technology to more general-purpose ones. There's not a PC maker on the planet that is really 'innovative' anymore, not even Compaq. Everyone just takes boxes of off-the-shelf parts and assembles them in different configurations based on what users want.
By that measure, for many years Apple was leaps and bounds ahead in innovation. For years, they saw the interesting new technologies long before the PC market did, and integrated them and had them in shipping computers very quickly.
As an example, few, if any, PC manufacturers would have taken the risk to implement USB if they were designing their own motherboards -- nearly all of them license from specialists, though, and that is why most PCs now have USB. (it's only in the last year or so that the USB port has become useful, and it was largely the (otherwise horrid) iMAC that caused that to happen.) But Apple makes its own motherboards, and because of that they can implement new features sooner than the PC market generally can. Expecting them to design entirely new features completely out of thin air is a bit unrealistic -- they can't out-think the entire world. Why not just take what the world has invented and make it WORK?
Of course, I suppose you could argue by the same term that Microsoft is innovative -- because they buy the products of specialist companies and integrate them. However, I don't feel this applies in quite the same way -- Microsoft is in the business of writing software, and if they were really innovative they'd be coming up with new forms of software by themselves. Apple is more of a 'systems assembler' sort of company (admittedly with the software engineer hat as well) -- so their form of 'innovative' isn't quite the same as Microsoft's.
Even judged, though, from this lowered standard, they don't seem to have done much of import in the last four or five years. Actually, as far as I can tell, their innovation pretty much stopped dead after Jobs took back over... the high point has been 'colored computers'. OSX may be interesting but I think it's going to take some more proving out first.
Amelio was doing a much better job, IMO. He thought of the customer first and not Apple. If he had been allowed to stay in charge, Apple would likely have had hard times for about as long as they have -- maybe worse. But I think at this point the Macintosh would be a vibrant, healthy computing platform with lots of little garage shops making lots of money selling different expansions and attachments, much like all computers had in the 1980s. Instead, it is a mostly-stagnant, mummified architecture with few signs of life beyond snazzy new paint jobs.
I suspect that the Mac will need to show rousing success with OS X within the next 18-24 months, or become permanently irrelevant.
I thought that it was because I have abused the keyboard a bit, but my e's are repeating sometimes now. Might be a design flaw.
Also, one thing I forgot to mention is that the shift gets 'stuck' sometimes. It always has from the time I first had the keyboard. I have gotten so used to it that I have forgotten it, but it does still irritate me sometimes. Apparently this is not normal behavior and Kinesis offered to fix it for free, but I never bothered to send it in to them.
Your other comments are quite accurate. I also keep a 'normal' keyboard around for the games that don't remap keys well.
It strikes me that experience is the best thing of all to have, but the quality of your experience will be much heightened by getting a degree, preferably a master's or even a PhD, in computer programming. And go to a good school to get it, like UC Davis.
There are a lot of geeks in the industry who have gotten by on sheer brainpower. But no matter how smart you are, people that make you look flatly stupid have spent a lot of time thinking about basic computer theory and problem sets. They won't have been solving your exact problem, but they will certainly have developed techniques you can use.
Now, this isn't to say that degrees are the ONLY way to get the advanced knowledge. If you are smart enough, you can certainly do it on your own without ever setting foot in a classroom. But there is a HUGE amount to know. Whatever your approach (formal or informal) you will need to spend a LOT of time and effort studying basic theory and practicing implementations.... and endless, endless hours writing code.
There was an earlier article today about the use of LISP in the real world. Go read that article -- that guy knows what the hell he is talking about and will give you a pointer down the right road.
The general standards of intellectual excellence were much higher in the 1950s and 1960s. MAKE SURE you expose yourself to the thinking from that time. Our standards have dropped enormously and most people aren't even aware of it.
Remember, the only effective difference between cavemen and modern men is that we know more now. They were just as smart as we were. They had every bit as much basic brainpower. But they didn't have any knowledge -- they had no way to leverage those brains.
Expose yourself to the brilliant, brilliant work that has preceded you. Even if this doesn't make your actual code writing any better, it will give you a peek into a universe of problems that are enormously more interesting than connecting a web site to a SQL server.
Based on recommendations from a prior Slashdot article, I bought a Kinesis Ergo. At the time they were in Fry's for about $200 (the cheapest model). Fry's doesn't seem to have them anymore; you may have to order them from Kinesis.
The Ergo is shaped like a Microsoft Ergo keyboard in reverse; instead of a RAISED section for each hand, it has two SUNKEN sections, a bit like you took an ice cream scoop to a regular keyboard. Each key is at a slightly different angle and height. This makes it very difficult to type on at first. It took me probably about a week and a half before I was back up to acceptable speed with it, and probably most of a month before I was back to 100%. But, I kept improving -- the design of the keyboard makes it easy to feel mistakes. At this point, I make fewer typos, type faster, and experience much less wrist discomfort. It is a thoroughly superior solution. And I have no problem at all switching between standard 'flatties' and the Ergo. I don't even notice it.
I bought mine two years ago. At the time they still all used the older, large keyboard plug. I don't know whether or not they have been updated.... if not, you will need an adapter cable to use it with any machine that is less than 3 years old.
Yes, $200 is a lot to spend on a keyboard, but it's a lot less than it costs to fix your wrists. And these seem very well built.
High maintenance item. You just wouldn't believe how much bread they burn through.