Slashdot Mirror


User: msobkow

msobkow's activity in the archive.

Stories
0
Comments
5,287
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 5,287

  1. Re:Spin is just spin on IE Holes Not Microsoft's Fault, Says Bill · · Score: 1

    Precisely my point. There is no use to building security into a system if the developers for that system keep releasing bugware that requires the security be disabled in order to function.

    Providing children with admin access in order to run eduware is a major hole in any system's security. Could you imagine the uproar if you had to log in as "root" on a Linux box in order to run a videogame? Yet this very foolish behavior is tolerated in the Windows world in the name of "ease of use", while many other software vendors demonstrate time and again that you can write great software without requiring such security holes -- even with Windows.

  2. Spin is just spin on IE Holes Not Microsoft's Fault, Says Bill · · Score: -1, Offtopic

    Technically Bill is right. It's not IE causing the problems -- it's just the unlocked door that the problems wander in through.

    But if you have brain-dead users downloading software from popups (not back doors and virus vectors), Mozilla will still have the same problem with trojans and spambot software that IE does.

    That's really where Windows has it's biggest vulnerability. My relatives still have to grant their kids admin authority just to run eduware videogames -- and one of the games requiring that was only released two years ago! (I bought it for my niece this past Christmas.)

  3. Childish nonsense on Slackware Likely To Drop GNOME Support · · Score: 3, Insightful

    If the biggest thing you can find to bitch about is whether all the names start with a G(nu) or Gnome vs. K(de), then I'd say both desktops have succeeded beyond their wildest dreams.

    Personally I use both, but I use Gnome for my personal account. GTK is cross platform; so is Qt. My guess is Qt might be better for Windows porting, but as far as Linux itself goes I don't really see much difference. In both cases I just configure until it works the way I want.

    Programming is another issue, but I haven't done enough with either to say which is truly "better", and it would just be my personal opinion anyhow. After working with 2-3 other GUI toolkits over the years, I realized they all basically work the same, some just have a cleaner programming interface or more default/standard widgets.

    The whining about package dependencies is just that -- whining. Go ahead and try and install something that requires IE components under Windows and see how far you get if you manage to remove IE. The same goes for Gnome's "Bonobo" CORBA support or Qt under KDE. If the package was built with particular software in mind it will need to have it installed.

    Or is everyone going to start crying about all the HTML display components that require Mozilla as well? Perhaps you'd like to get rid of glibc because you like another ANSI C library?

    Wah.

    Wah. Wah. Wah.

  4. Re:Same here on Ballmer Says iPod Users are Thieves · · Score: 1

    There are some small labels that still find the little bands worth listening to. That's the one advantage of some of the MP3's and streaming -- once in a while a friend points me at a group they think I should check out.

    If it's any good, it just goes on the "buy" list -- why settle for any quality loss if you can get the CD for a reasonable price?

    I do wish more good music were available on SACD -- I'd even settle for DVD Audio disks. I just miss the clean, crisp highs that vinyl used to have -- just not enough to go to the expense and effort of vinyl.

  5. Re:Quickie Slashdot Poll... on Ballmer Says iPod Users are Thieves · · Score: 1

    7) Roughly what percentage of your collection is original media in original packaging?

    99.90% -- Less than a half dozen sampler burns out of close to 1000 CDs collected over the past 15-20 years.

  6. Re:Linux on PPC? I'll take OS X on Yellow Dog Linux v4.0 Released · · Score: 3, Interesting

    The $150 isn't what stops me from trying something like Yellow Dog. It's the lack of vendor software builds such as Oracle, Sybase, etc.

    As a developer, I can get free/cheap developer kits on x86 Linux or Windows from any major vendor. But when it comes to POWER, SPARC, or other OS's you need to buy everything, if it's available at all.

    That really is a shame -- especially the limited AMD64 support in some cases.

  7. Re:5000 years of prior art ... on Sun Files For Patent on Software Licensing Method · · Score: 1

    Good point.

  8. Re:But Sun is cool on Sun Files For Patent on Software Licensing Method · · Score: 2, Informative

    No, a licensing model cannot be patented. Anyone who thinks it should be patentable is smoking crack.

    Even phone company pricing packages are often very, very similar with only the promotional name and actual values used for the billing calculations changing.

  9. Some never learn on SCO Files for Stay of Execution · · Score: 1

    I think it's simpler. Some people never learn to cancel a project when it's going to cost more to finish than you expect it to earn back.

    They seem to be looking at it as a "waste" to give up now. It would make sense to be so stubborn if they had anything, but even if SCO manages to identify infringing lines at some random point in the future, IBM can just pull out the change history data, trot out the engineers who wrote the code, and let them explain it personally.

    The same goes for a lot of other situations, like those of us who'd spoken with Sequent engineers about NUMA/RCU as a VM pitch.

    Of course SCO itself could just be a huge FUD, in which case you have to wonder what the fudsters might be doing.

  10. There are other ways of viewing it on U.S. IT jobs Down 400K Since 2001 · · Score: 3, Insightful

    India, China, and many other such nations also have a huge demand for infrastructure growth and development. Before they get greedy about the foreign markets, maybe they should take care of building up their local business market?

    Wouldn't that also help get a few more people employed in those countries instead of merely sucking jobs from other nations?

    Maybe we need to find ways to work more efficiently as well, and put more of our resources into actually doing our job instead of wasting it on IP lawsuits.

    Can you imagine starting a business nowadays? Before you could even think about approaching potential partners, you'd have to spend months or even years just working out how you're going to defend against Microsoft, SCO, and other overly-aggressive companies.

    It may sound trite, but imagine how much more actual work and revenue-generating business enhancements could do with, say, the money IBM has spent defending against SCO so far?

  11. Amazingly tenacious on SCO Files for Stay of Execution · · Score: 1

    They are amazingly tenacious for a company which in all this time has yet to demonstrate a shred of valid evidence, while wasting hundreds of millions of other company's money.

    Maybe I was wrong about whether all of industry is "getting it."

  12. Thank you on Early Warning For Microsoft Premium Customers · · Score: 1

    I am truly amazed at how the industry has woken up to the potential a simple shift of priorities gives us all. It's refreshing to know that if you scream loud enough, even Microsoft can "get it."

  13. Re:New concept same stuff... on Beat Spam By Not Using Email · · Score: 1

    Funny, I thought hardware encryption devices were kind of meant to work with the system to offload the main CPU. Wouldn't there also be options for Cisco et. al. to do SSL tunneling that doesn't require limited-platform VPN software?

    Put the money in the right hardware, and the CPU load should be a non-issue.

  14. Re:Let me get this straight on Federal Judge Rules Oracle can Bid for PeopleSoft · · Score: 1

    Thanks for the clarification. I thought this was some sort of forced-takeover issue.

    But I always thought of PeopleSoft as an HR solution in the first place, so I'd have thought Oracle was trying to fill out their product portfolio. As long as components remain interchangeable, I don't see why it should be an issue for a vendor to have multiple business service components. The catch is whether those components are being used to establish artificial barriers, or if they're being used to allow customers to do one-stop provisioning.

    Consider the startup business in particular:

    Having a one-stop provider while you get your bearings and figure out what you need for long-term technical options can make it a lot easier to focus on getting your business started instead of your data center. Maybe it's one vendor, maybe it's a bunch of vendors coordinated by a management consulting firm, maybe it's a global provider like IBM or Oracle that has their support behind dozens of vertical markets and components. As long as you avoid lock-in, it's a fair approach to getting started.

  15. Re:Hmmm... on Miguel de Icaza Debates Avalon with an Avalon Designer · · Score: 1

    Not the boot firmware, but a boot disk that contains the various checksums and security keys needed to identify the system, decrypt drives, identify itself to the network peers that it's expected to service, scan the core services and software components for damage/intrusion, etc.

    The traditional packet firewall/wire protocol layering is fine if you have complete control over your physical data center. But if you're trying to distribute part of that over VPN connections, secure WAN links to business partners, etc. you have to ensure that the packets are from the node they claim to be, that they've not been altered, and potentially encrypted. The encryption itself is an option, depending on what you have in place for physical infrastructure security.

    In essence, think of a B2B distributed world where you have to be able to coordinate servers securely over the internet cloud. Just because top-tier enterprises can afford full physically secure data centers doesn't mean that everyone can do so.

    Why stick with just HTTPS/XML/SOAP and web forms if you could tunnel virtually any protocol? Many of those non-generic protocols make much more efficient use of network bandwidth, CPU, and memory. With hardware accelerated SSL facilities, it doesn't even have to really have any significant effect on your server traffic load.

    That's presuming, of course, that you're using real hardware for a data center, not a bunch of office PC's or workstation class machines with minimal redundancy or failure detection.

  16. Perspective on How Well Do You Estimate? · · Score: 2, Interesting

    You would be describing the difference between localized perception and overall truth, the essential gap between concept and reality.

    For example, I can look at the North American business market and go "Wow! Microsoft owns this market!" because all I see is Windows on the desktops.

    But in truth, it is the back-end data servers from a myriad of companies and providers which are entrusted with the critical business information, not the desktop. The desktop is merely an access point and a collection of utilities to help people analyse and format that information.

  17. Re:New concept same stuff... on Beat Spam By Not Using Email · · Score: 1

    Not a new concept, but a creative application of an old idea to solve a problem for some people. Lotus Notes, Exchange, and other products do much the same thing. Some even require that you add on the internet email support rather than using it by default.

    I'm more concerned by the number of email services out there that still use plaintext connections, sometimes with minimal or no security. Sure it's easy for the ISP's, but how hard would it be to at least use SSL on the SMTP ports to help protect their customer's authentication information?

  18. Let me get this straight on Federal Judge Rules Oracle can Bid for PeopleSoft · · Score: 1

    As near as I understand it, the judge is effectively saying that Oracle is allowed to "force" the PeopleSoft board to sell?

    By what means? If the board is convinced the long-term value of the company is better served by remaining independant, who is the judge to say otherwise? Who is anyone other than the stock and share holders of the business to say otherwise?

  19. Re:Hmmm... on Miguel de Icaza Debates Avalon with an Avalon Designer · · Score: 1

    Actually I thought the best approach to microkernel implementations were Numa/RCU at the driver level, some of the various VM system implementations, and the micro-boot code approach of the Alpha processor.

    Essentially what you need is a ring 0 resource manager that can securely execute different operating systems, which may well include monolithic services. Let's take a DNS service for example.

    You want to isolate your services on seperate physical or logical nodes and operating systems. That minimizes your penetration risk such that if there is a hole in the service, only that one VM/node is compromised.

    If you take the Linux, BSD, or any other kernel with appropriate POSIX and ANSI C/C++ APIs, ICU, etc. as a set of build libraries, you could statically build a 100% dedicated image that can boot from a read-only medium. If you further encrypt that medium, or somehow use a disk encryption key on that boot medium, you can guarantee that the system is starting with a known image. I realize the GPL forbids that, but I've always thought restricting the command line options for the linker to be a bit excessive.

    Let the compiler and linker chew for a few hours or days, and you could do the same for pretty much any service node.

    If you further use some form of SSL boot keys provided by some hardware device, you could even set up systems so that you can boot in either a read-only production mode, or use a different boot key to start up in admin mode so you can alter the core system config and software profile.

    Add in some virtual storage, and you can take an alternate deployment approach where the central application management console coordinates those images on different EMC, IBM, Hitachi/HP, or other data clustering solutions. A physically secure set of nodes is used to stage the software rollouts, and then the service images are restarted with the updated build.

    It's in taking responsibility for those components -- the OS and it's fundamental services -- that a vendor provides value to the business IT service community. If you can't start out with a solid foundation, you're dead before you started.

    Regardless of where in the NT layers one wants to point fingers, the fundamental problem is that you can't run Windows without the GUI, and the GUI carries along a security nightmare that hasn't been resolved in roughly a decade. That's not good enough if you want to securely host customer information or security identification facilities.

    It's not even good enough if you want to run something so basic as DNS, LDAP, Kerberos, or other cluster services. You must be able to count on the basic system 100%, not make excuses about video drivers.

  20. Nothing is flawless on Network Security Assessment · · Score: 2, Informative

    It's that simple. No matter how good the teams involved in hardware and software development, there is a virtual statistical guarantee that there is a mistake somewhere. If that mistake can be exploited over the network, you have a potentially serious vulnerability.

    The best you can do is isolate your penetration risk.

    Ideally you would want each network-enabled service on a distinct server. That way if there is a security risk with that service software on the platform, your penetration risk is the loss of that service. That can get expensive, so you either use chroot environments or VM's to reduce the physical infrastructure required, knowing that there is some tradeoff in the overall security because of it.

    Each layer of the data center environment should be firewalled from the next so that only the expected protocols from the expected hosts are allowed deeper into your data center. This all starts at the network head, typically something like a Cisco rack that port-forwards the network services to the appropriate hardware.

    In the case of a web-enabled service via Apache, plugins and hooks in Apache validate the client, handle the SSL overhead, and proxy the confirmed requests to the next layer -- web interface services (e.g. XForms, Struts, HTML/JavaScript, XML/XSD, ...). Those requests are again ideally passed through a firewall, but at very least the links between those front-end and web interface servers should be a physically seperate subnet.

    Tomcat, J2EE, etc. are common web interface service toolkits. This layer is responsible for user session management and minimal authorization feedback (e.g. enabling/disabling potential user actions for the business object interfaces being presented.)

    We're now through three layers of firewalling and validation, and finally hit the back-end application services. With J2EE or other gateways handling the web interface, the back-end application services could be interfaced via MQ, RPC, CORBA, J2EE, SOAP/XML, or any number of protocols.

    Those back-end business application services are where you can finally do the real authentication/authorization, XA transaction management, backbone message processing, etc.

    Depending on performance and security needs, there may be further layerings of business/security processing, object-relational mapping, and local or WAN database clusters.

    At the very core of it with as many firewalls and layers as possible between it and the outside world is your security center -- the primary Kerberos servers that are maintained from a physically secure location. Their information is replicated to the "runtime" servers in the data center, so even if someone were able to hack through 4-6 layers of firewalls, protocols, and potential SSL tunnels, they still wouldn't be able to alter the core identity information.

    There are thousands of products, packages, and libraries for working with that Kerberos identity core, including smart cards, biometric id's, etc.

    Tie it in with LDAP security and you can do a pretty effective job of initial application access checking without allowing a DOS on the core service. (If you can't find the core service, you can't very well flood it, can you? Not without attracting the attention of network monitoring.)

    Technically "bulletproof" is impossible, but I'd rather a few layers of Kevlar between my data and the outside world, particularly if each of those layers is provided by a different vendor using slightly different approaches to their products.

    I think having a seperate OS vendor and hardware platform for each service would be ideal, but currently that's only a theory. There are equally valid arguments that having a simple VM or microkernel with multiple operating systems could be as secure.

    In a sense, if you had all these systems and services on the big iron from IBM, Sun, Hitachi, HP, etc. the internal data bus can be thought of as a multi-gigabyte per second virtual netwo

  21. Re:Hmmm... on Miguel de Icaza Debates Avalon with an Avalon Designer · · Score: 2, Interesting

    That depends entirely on whether you buy into the idea that you have to use Microsoft-provided components, or if you've downloaded or purchased a host of third-party products like Mozilla, Opera, Eudora, X-terminal emulation packages, MKS Toolkit to at least get a POSIX scripting environment, cross-platform database access libraries, ICU, Xerces, Apache, etc.

    I've never actually worked with anyone who built their applications entirely with Microsoft technology. Yes, Access and Excel and such are used to prepare desktop level reports via ODBC gateways, but unless you've bought into Microsoft for your entire suite, any of it can be replaced.

    The question is how hard it is to replace, and what the benefits are of the different platform options in your server spaces. The desktop is by definition a hostile environment unless it's been specifically designed otherwise.

    As long as a sales rep's kid can disable the security to install a video game, or just because they're ticked off about their "low" allowance, the desktop/mobile environment is a security risk.

    The problem is that Microsoft seems hell bent on dragging those desktop security issues into the data center, and there is just no need for it. There are plenty of secure gateway protocols they can use to access the datacenter.

    For that matter, isn't it Microsoft that's pushing C# as a cross-platform development standard? If they are truly building their business on that base, why should they care what the underlying kernel is provided it runs the C# runtime?

    I see nothing they are describing which requires binding the kernel, and no benefit to such binding other than platform lock-in and a deliberate breach of established industry security standards and protocols.

  22. Re:But you have to do what you can on Longhorn Will Have Ability to Ban External Storage Devices · · Score: 1

    And in every one of those cases you would have a machine or add-on installed to do it.

    Just because a gun is neither good nor bad doesn't mean I'm about to leave a loaded revolver on every employee's desk.

  23. Re:what is this supposed to mean? on 20,000 Zombie PCs -- $3000 · · Score: 1

    Do you have any idea how much of the clog can be eliminated if the ISP:

    1. Blocks all file sharing ports at the customer port/head, including NFS, DFS, SMB, IPX, etc.
    2. Blocks all black-net addressing.
    3. Blocks all outgoing packets which attempt to forge IP addresses (i.e. mismatched from address) and shuts down the offending node

    Congratulations -- you just eliminated a major chunk of the infection vector.

    For those who really want to share their files over the internet, force them to learn how to configure a safe VPN or SSL tunnel, or buy the product/services to do so if they don't want to figure it out themselves.

    That isn't to say I think all the traffic should be virus scanned, filtered, and designed to make everything safe for the user. That would be as impossible as making the interstate system safe for drunks to drive on.

  24. Re:It is about USABILITY not disk space on WinFS' Spot on Back Burner Nothing New · · Score: 1

    Ok, I see your point on storage costs, but my point is that performance growth is rarely linear as your data set increases. The more you add to the indexes and the more alternate bits of information you have to synchronize, the slower things get -- rapidly.

    Sure you can index your PC, but what good is that when the vast majority of user information is on intranet and internet servers? Even if you couple LDAP to the file system and scrap service isolation security or OS ring protection, the fundamental IO bottlenecks will not allow you to do any better than match the performance of a fast XA service coordinator, while you lose the code isolation that improves security and maintainability.

  25. But you have to do what you can on Longhorn Will Have Ability to Ban External Storage Devices · · Score: 1

    I've worked for many companies who would lock down or remove floppy drives, unused connectors, lock down BIOS passwords with hardware intrusion detection, and even diskless network workstations.

    It's not a new idea to disable write access to devices, but I thought one company had an even more effective approach. They encrypted all floppy writes. If you tried to use the disk on a machine that didn't have the corporate image, it was junk.

    Don't forget that when you're dealing with corporate desktops, the user's don't have "rights". They are employees, there to do a job, not to install gadgets on company hardware in violation of security policies.