* backups
* authentication/permissions
* simultaneous use of the same file
etc...
These are problems that have already been addressed in most corporate LANs. Fault tolerance is an issue, yes, but if I had to trade the few items above for the extra tolerance that a P2P network gives me, I'd stay with the regular 'ol client-server model.
I'm not saying that P2P isn't a potential solution for the future, but for this application, it's not ready yet. In my experience, the problem isn't that desperate.
isn't enough to secure just one single program, you need to secure all the programs it needs to talk to, and all the programs that they talk to, and so forth. You'll end up needing to make profiles for every program installed on system to make a truly secure system.
And yet, having a systrace policy for each application is only the first step. Developers need to be using safe string handling functions, they need to be checking for race conditions, they need to reuse more well-known code, etc. Security is hard, and perfect security is impossible. But you can make the life of a potential attacker that much more difficult if you use a layered approach.
Applications don't need access to all of the system calls. We've accepted this same premise for networks ("computers don't need access to all ports/protocols"); it makes sense to do the same for programs.
The OS and the application should work hand in hand to ensure this is done correctly.
Well, yeah, that's exactly why I drew attention to systrace. And no, it's not hard if you write applications. You have the unique position of knowing exactly what the application needs. My point is that OS and application developers should already be doing this.
Sure systrace doesn't solve all of the problems. It doesn't prevent buffer overflows from happening. But it it an important step in having a layered approach.
The grandmother argument is lame. Stop using it. I don't care if ESR thinks it is a good way to show why CUPS sucks. Everything is hard for an old lady.
Everything should just work, with the IT guy making certain the users' needs are met before they even know what they are. In a correctly managed facility, the IT guy's phone should almost never ring.
While this is a longtime dream of mine, I don't see the calls diminishing anytime soon. I think that I can make a very good case that the state of my company's IT is much better now than it was before I came: no more internet outages, much less spam, no more virus/malware outbreaks, and a standardized set of platforms for office workers. And yet, my phone rings like crazy (acutally, not the phone so much, the BOFH in me has trained my users to use email unless it is urgent).
I suspect that, because my predecessor was so God-awful at his job, that most people simply wrote off asking him any questions because he was unhelpful. People come to me now, because they know I won't make them feel like an idiot for asking how styles work in Word, or why they can't email this picture to the production department, etc.
And I always make the point of explaining jargon to someone. Granted, I scale the level of explanation depending on that particular user's interest/temperament, but I found that the time spent training people pays off big time. Well, except for those few crazy users. The crazy ones are the bane of my existence...
Am I missing something here? All of these concepts are old news. Microsoft still makes these mistakes because it's *not a priority* for them. It doesn't seem that they actually use safe string handling techniques (despite having a technote on the subject), and their solution to problems is to rewrite the whole thing! Forget about incremental fixes when you throw the whole thing away.
Yes, modern browsers *should* be security-conscious. Microsoft has the responsibility to write secure code because we pay them to give us software that they claim is secure. Likewise, the Firefox team claims that Firefox is more secure than IE, which means that they need to back that claim up.
But that's beside the point: writing code that handles I/O appropriately is a basic requirement these days. When you're talking about networking, where nearly any person, anywhere on the network, can talk to your machine, you want to make damn sure that you've covered the basics: buffer overflows and privilege escalation.
According to Secunia (the same source of this author's data, BTW), there are still 19 of 85 reported vulnerabilities unpatched for IE 6.x. Contrast that to the 3 of 22 unpatched vulnerabilities in Firefox. This is a much more important figure to me. The Mozilla crew gets their fixes out faster, and this is why FF is deployed company-wide for us.
The most important thing this author should have asked is: what is the severity of these vulnerabilities? Something like a DoS is a PITA, but compared to a vulerability that opens a machine to remote system access-- come on! Let's compare: IEFirefox
IE integrated into the base OS gives a lot of those buffer overflows much more destructive potential than some regular old program. I'm not ruling FF out as a potential threat, but so far, it has shown itself to be far less dangerous than IE.
Reuters picks up a story from BILD, a tabloid, and then runs it? Fine, if Reuters wants to get their inspiration from a tabloid, whatever, but didn't they do any fact-checking at all? Apparently not! Even worse, CNN reran this story, also apparently unchecked, from Reuters!
That's TWO major media outlets that did ZERO fact-checking!
And now, to prove my tinfoil hat is still working-- is it really that much of a stretch to suggest that some oil industry PR firm planted this story? Sure, I may be way off-base, but I think I've earned the right to speculate wildly considering that two major news outlets simply printed untruths.
Exactly. While I might not always use a grounding strap for run-of-the-mill PC repair work, I sure as hell always have one on when I open up one of our $20,000+ servers. Can I justify my job to my boss if I kill that machine? Better safe than sorry.
When our laptop users come home, they're still outside out network. That is, the jacks in their offices don't lead to the internal network, but to a firewall. If they want to use internal services, they must use a VPN, and then only certain traffic is allowed through. It's not a perfect solution, but it mitigates a lot of problems. Laptop users coming back home used to be our #1 vector for infection.
As an avid long-distance backpacker (AT '03), I can tell you that 44-84 lbs ain't light. Without a hipbelt, your spine can only carry an additional amount of weight that is roughly equal to 25% of your total body weight. So for me, that's around 40 lbs. That's maximum, and I'm telling you, even with a hipbelt to help distribute the load to my hips, that weight can grow to be quite uncomfortable over the course of a day. Without a hipbelt, we're talking about a painful weight, and 84 pounds is simply crushing. And I am in very good shape.
Plus the article doesn't mention-- what is 44-84 lbs in reference to? Is 44 lbs an empty backpack? If I have to add a week's worth of supplies on top of that, this design isn't practical at all. While some people may need power in remote places/the backcountry, I can't see myself needing power enough to justify carrying around something weighing that much. Batteries, while not replenishable, are much lighter.
The current trend in backpacking is that lighter is better. It really surprises me how long it took for this to catch on. While many people made the switch to internal frame packs 10-15 years ago, we're now seeing a trend toward frameless packs. Fabrics that are stonger, lighter, and sometimes waterproof, allow you to make a much lighter pack. My frameless pack weighs around 11 oz empty-- I can fill it to about 25 pounds before the weight begins to hurt my shoulders over the course of a day (this is a pack without a hipbelt). Yeah, there's a bit of an art being able to get a week's worth of supplies, plus water, under 25 lbs. But when I do, I can easily cover more miles (20-25 as opposed to 10-15 with a 40 lb pack on moderate terrain) or simply enjoy myself more.
Occasionally you'll see some gearhead out on the trail with a pack stuffed full of electrical gadgets. They don't usually stay on the trail very long.
It's no wonder that so many people don't give a damn about sharing copyrighted works.
Right, and this is exactly why I think Lessig is wrong when he says "[a]nd the cultivation of culture and creativity will then be dictated by those who claim to own it."
You can't stop culture. You can't stop creativity. It will keep happening. Does anybody think that the law is going to stop change? All that will happen is that the law will be less relevant. When enough people lose faith in the system, then these restrictive schemes will come tumbling down. You can't hold back culture-- it is a flood.
Holding back a weapon that might kill somebody which replaces a weapon that will definitely kill somebody because of semantics is idiocy. Sure "less violent", whatever.
Question is, is this softraid or real hardware RAID? Softraid is next to useless on anything but Windows.
In fact, I can't see RAID being all that useful on a laptop anyway. Your hard drive is one of the biggest consumers of power in the machine; you're doubling that now. Not to mention the extra heat.
If you run RAID-0, for redundancy, you're going to have worse performance. If you run RAID-1, you'll get better performance, but the fastest laptop drive is, what, 7200 RPM? Seeks are still extremely slow compared to good desktop drives. And, unless I'm mistaken, all other forms of RAID need more than two drives. Do you really want more than two drives in a laptop? Great battery life there, and yeah, REAL portable...
This might be useful, however, if this feature ever makes its way to the desktop, although we're seeing more and more mobos with SATA RAID controllers built-in. Or, if people are willing to accept the slowdown of RAID-0, worse battery life and more weight, this *might* be useful for businesspeople. But come on... is your ordinary laptop user going to be able to rebuild parity if a drive fails?
I don't mean to sound like a grumpy old man here (oh, disclaimer: I work for a textbook publisher), but online resources and e-books aren't always the best solution.
For instance, regular books work just fine without electricity. Some books are indispensable in dead-tree form, especially if it is the kind of book you need to use when your computer is borken. Dead-tree books and periodicals are also easily portable, and if they contain pictures, high-bandwidth. Lots of people still hate reading on a screen.
Obviously, there are some downsides to real books. They take up physical space, they are difficult to reorganize, they can be more expensive than their online counterparts, they aren't searchable, etc.
But don't rule out real books. Libraries need to find a balance between the pros and cons listed above.
From a publishing standpoint, there are some additional things thrown in there-- current and popular titles will not be in electronic distribution channels anytime soon; publishers are still fretting BIG TIME about good DRM. Real books work well for publishers-- they aren't impossible to copy, but they are difficult enough, and that inconvenience is enough of a motivator to get most people to buy books instead of making copies. "Fair use" is of little concern when we're dealing with real books, since the idea was crafted when there were only real books around, but e-books are a different matter entirely. How does a library loan out a copy of an e-book to a student? It ain't gonna be free to make copies (publishers will be sure to see to that), and if it doesn't cost less than real books, what's the point!
What you're going to see in the short term are back catalogs being put out in electronic form. A publisher can't be guaranteed to make money putting out dead-tree versions of these, but in electronic form, they are extremely profitable, and there isn't much to lose. The only stumbling block here is that there is no mention of electronic distribution rights anywhere in the original contracts with the authors...
Pretty sure it was System 7. I was running it on a Quadra 605, and with my Zoom 14.4 modem I ruled the world. Free porn! My friends didn't believe it was true until they got to college.
Sure, if you take a 10 year view, things aren't so hot right now for us liberals and scientific thinkers. Maybe even with a 50 year view we'd be at or near a low point. But those of us who lived through Vietnam (and I was young, but I do remember it) and the aftermath know how bad things can really get in terms of ideology, the economy, and yes, even science. This that we're in now, this is nothing. A blip on the radar.
Considering that 50 years is roughly twice my age, and for most people, more than half, I'd say so what! Maybe this low point is blip on the radar as far as the history of Western civilization is concerned, but shouldn't we be at least a little worried about what happens during our own lifetimes?
I take it that you mean that humanity will be OK in the long run. Sure, but with the exception of what happens during my childrens' lifetimes, I could care less about humanity in the long run. The fact is, religious ideologues can and will have an immediate impact on our lives if we don't do something now. The pendulum doesn't just swing back -- we have to swing it back ourselves!
I spent two years saving up my paper route money so I could buy a Mac Quadra when I was in 7th-8th grade. It was great having a powerful machine that I could play around with, and I was immensely proud that I had bought it with my own money.
Having computers around me when I was growing up had a major impact on my life. Whether it was old beater LSI-11 that my dad had in his lab, or the family 286, or the aforementioned Quadra, I picked up tons of computer savvy when I was young and impressionable. Nowadays I run hundreds of machines for work, engineer networks, code, etc. The advantage I have over the other guys who picked up this stuff after college is HUGE! You can spot them a mile away, plodding along. And while those skills I picked up were important for my own technical career, I'd argue that they're becoming more and more important for everyday life.
My line of reasoning is this for laptops-- do you need a machine while you're traveling? Because they're expensive enough, easy enough to steal, and difficult enough to repair -- and trust me, you'll HAVE to repair it someday -- that you should just go with a desktop unless you actually have that need.
And even if a high school kid is responsible enough, s/he really should be enjoying high school, friends, sports, etc, not kicking around with a laptop. They should do the hacking at home. Just imagine all the ASCII pr0n I would have downloaded off my local BBS without my family around! (To be honest, the real limiting factors were the number of floppy disks I owned and that fact that I got caught once, GAH!)
Slashdot Mirror
* backups
* authentication/permissions
* simultaneous use of the same file
etc...
These are problems that have already been addressed in most corporate LANs. Fault tolerance is an issue, yes, but if I had to trade the few items above for the extra tolerance that a P2P network gives me, I'd stay with the regular 'ol client-server model.
I'm not saying that P2P isn't a potential solution for the future, but for this application, it's not ready yet. In my experience, the problem isn't that desperate.
It is possible that some people are the same, in which case, less than half are below the average.
And yet, having a systrace policy for each application is only the first step. Developers need to be using safe string handling functions, they need to be checking for race conditions, they need to reuse more well-known code, etc. Security is hard, and perfect security is impossible. But you can make the life of a potential attacker that much more difficult if you use a layered approach.
Applications don't need access to all of the system calls. We've accepted this same premise for networks ("computers don't need access to all ports/protocols"); it makes sense to do the same for programs.
Well, yeah, that's exactly why I drew attention to systrace. And no, it's not hard if you write applications. You have the unique position of knowing exactly what the application needs. My point is that OS and application developers should already be doing this.
Sure systrace doesn't solve all of the problems. It doesn't prevent buffer overflows from happening. But it it an important step in having a layered approach.
The grandmother argument is lame. Stop using it. I don't care if ESR thinks it is a good way to show why CUPS sucks. Everything is hard for an old lady.
While this is a longtime dream of mine, I don't see the calls diminishing anytime soon. I think that I can make a very good case that the state of my company's IT is much better now than it was before I came: no more internet outages, much less spam, no more virus/malware outbreaks, and a standardized set of platforms for office workers. And yet, my phone rings like crazy (acutally, not the phone so much, the BOFH in me has trained my users to use email unless it is urgent).
I suspect that, because my predecessor was so God-awful at his job, that most people simply wrote off asking him any questions because he was unhelpful. People come to me now, because they know I won't make them feel like an idiot for asking how styles work in Word, or why they can't email this picture to the production department, etc.
And I always make the point of explaining jargon to someone. Granted, I scale the level of explanation depending on that particular user's interest/temperament, but I found that the time spent training people pays off big time. Well, except for those few crazy users. The crazy ones are the bane of my existence...
http://www.citi.umich.edu/u/provos/systrace/
It shouldn't be that hard to figure out what a simple program like a browser needs.
Am I missing something here? All of these concepts are old news. Microsoft still makes these mistakes because it's *not a priority* for them. It doesn't seem that they actually use safe string handling techniques (despite having a technote on the subject), and their solution to problems is to rewrite the whole thing! Forget about incremental fixes when you throw the whole thing away.
Yes, modern browsers *should* be security-conscious. Microsoft has the responsibility to write secure code because we pay them to give us software that they claim is secure. Likewise, the Firefox team claims that Firefox is more secure than IE, which means that they need to back that claim up.
But that's beside the point: writing code that handles I/O appropriately is a basic requirement these days. When you're talking about networking, where nearly any person, anywhere on the network, can talk to your machine, you want to make damn sure that you've covered the basics: buffer overflows and privilege escalation.
The most important thing this author should have asked is: what is the severity of these vulnerabilities? Something like a DoS is a PITA, but compared to a vulerability that opens a machine to remote system access-- come on! Let's compare: IE Firefox
IE integrated into the base OS gives a lot of those buffer overflows much more destructive potential than some regular old program. I'm not ruling FF out as a potential threat, but so far, it has shown itself to be far less dangerous than IE.
Notice that the story has changed. Think about it for a second. Does the Slashdot editorial blurb make sense with the current story linked to?
Obviously, CNN realized their mistake, and printed Reuters' "retraction".
I stand by my orignal flame about CNN and Reuters doing no fact-checking.
You RFTA! Reuters!
That's TWO major media outlets that did ZERO fact-checking!
And now, to prove my tinfoil hat is still working-- is it really that much of a stretch to suggest that some oil industry PR firm planted this story? Sure, I may be way off-base, but I think I've earned the right to speculate wildly considering that two major news outlets simply printed untruths.
Right on! I'm dumping my girlfriend. I never realized it until I read your post but-- she gets older every day!
Exactly. While I might not always use a grounding strap for run-of-the-mill PC repair work, I sure as hell always have one on when I open up one of our $20,000+ servers. Can I justify my job to my boss if I kill that machine? Better safe than sorry.
Why else would someone buy version 12 of your word processor?
When our laptop users come home, they're still outside out network. That is, the jacks in their offices don't lead to the internal network, but to a firewall. If they want to use internal services, they must use a VPN, and then only certain traffic is allowed through. It's not a perfect solution, but it mitigates a lot of problems. Laptop users coming back home used to be our #1 vector for infection.
Plus the article doesn't mention-- what is 44-84 lbs in reference to? Is 44 lbs an empty backpack? If I have to add a week's worth of supplies on top of that, this design isn't practical at all. While some people may need power in remote places/the backcountry, I can't see myself needing power enough to justify carrying around something weighing that much. Batteries, while not replenishable, are much lighter.
The current trend in backpacking is that lighter is better. It really surprises me how long it took for this to catch on. While many people made the switch to internal frame packs 10-15 years ago, we're now seeing a trend toward frameless packs. Fabrics that are stonger, lighter, and sometimes waterproof, allow you to make a much lighter pack. My frameless pack weighs around 11 oz empty-- I can fill it to about 25 pounds before the weight begins to hurt my shoulders over the course of a day (this is a pack without a hipbelt). Yeah, there's a bit of an art being able to get a week's worth of supplies, plus water, under 25 lbs. But when I do, I can easily cover more miles (20-25 as opposed to 10-15 with a 40 lb pack on moderate terrain) or simply enjoy myself more.
Occasionally you'll see some gearhead out on the trail with a pack stuffed full of electrical gadgets. They don't usually stay on the trail very long.
Right, and this is exactly why I think Lessig is wrong when he says "[a]nd the cultivation of culture and creativity will then be dictated by those who claim to own it."
You can't stop culture. You can't stop creativity. It will keep happening. Does anybody think that the law is going to stop change? All that will happen is that the law will be less relevant. When enough people lose faith in the system, then these restrictive schemes will come tumbling down. You can't hold back culture-- it is a flood.
Holding back a weapon that might kill somebody which replaces a weapon that will definitely kill somebody because of semantics is idiocy. Sure "less violent", whatever.
In fact, I can't see RAID being all that useful on a laptop anyway. Your hard drive is one of the biggest consumers of power in the machine; you're doubling that now. Not to mention the extra heat.
If you run RAID-0, for redundancy, you're going to have worse performance. If you run RAID-1, you'll get better performance, but the fastest laptop drive is, what, 7200 RPM? Seeks are still extremely slow compared to good desktop drives. And, unless I'm mistaken, all other forms of RAID need more than two drives. Do you really want more than two drives in a laptop? Great battery life there, and yeah, REAL portable...
This might be useful, however, if this feature ever makes its way to the desktop, although we're seeing more and more mobos with SATA RAID controllers built-in. Or, if people are willing to accept the slowdown of RAID-0, worse battery life and more weight, this *might* be useful for businesspeople. But come on... is your ordinary laptop user going to be able to rebuild parity if a drive fails?
Obviously, there are some downsides to real books. They take up physical space, they are difficult to reorganize, they can be more expensive than their online counterparts, they aren't searchable, etc.
But don't rule out real books. Libraries need to find a balance between the pros and cons listed above.
From a publishing standpoint, there are some additional things thrown in there-- current and popular titles will not be in electronic distribution channels anytime soon; publishers are still fretting BIG TIME about good DRM. Real books work well for publishers-- they aren't impossible to copy, but they are difficult enough, and that inconvenience is enough of a motivator to get most people to buy books instead of making copies. "Fair use" is of little concern when we're dealing with real books, since the idea was crafted when there were only real books around, but e-books are a different matter entirely. How does a library loan out a copy of an e-book to a student? It ain't gonna be free to make copies (publishers will be sure to see to that), and if it doesn't cost less than real books, what's the point!
What you're going to see in the short term are back catalogs being put out in electronic form. A publisher can't be guaranteed to make money putting out dead-tree versions of these, but in electronic form, they are extremely profitable, and there isn't much to lose. The only stumbling block here is that there is no mention of electronic distribution rights anywhere in the original contracts with the authors...
Pretty sure it was System 7. I was running it on a Quadra 605, and with my Zoom 14.4 modem I ruled the world. Free porn! My friends didn't believe it was true until they got to college.
Considering that 50 years is roughly twice my age, and for most people, more than half, I'd say so what! Maybe this low point is blip on the radar as far as the history of Western civilization is concerned, but shouldn't we be at least a little worried about what happens during our own lifetimes?
I take it that you mean that humanity will be OK in the long run. Sure, but with the exception of what happens during my childrens' lifetimes, I could care less about humanity in the long run. The fact is, religious ideologues can and will have an immediate impact on our lives if we don't do something now. The pendulum doesn't just swing back -- we have to swing it back ourselves!
I spent two years saving up my paper route money so I could buy a Mac Quadra when I was in 7th-8th grade. It was great having a powerful machine that I could play around with, and I was immensely proud that I had bought it with my own money.
Having computers around me when I was growing up had a major impact on my life. Whether it was old beater LSI-11 that my dad had in his lab, or the family 286, or the aforementioned Quadra, I picked up tons of computer savvy when I was young and impressionable. Nowadays I run hundreds of machines for work, engineer networks, code, etc. The advantage I have over the other guys who picked up this stuff after college is HUGE! You can spot them a mile away, plodding along. And while those skills I picked up were important for my own technical career, I'd argue that they're becoming more and more important for everyday life.
My line of reasoning is this for laptops-- do you need a machine while you're traveling? Because they're expensive enough, easy enough to steal, and difficult enough to repair -- and trust me, you'll HAVE to repair it someday -- that you should just go with a desktop unless you actually have that need.
And even if a high school kid is responsible enough, s/he really should be enjoying high school, friends, sports, etc, not kicking around with a laptop. They should do the hacking at home. Just imagine all the ASCII pr0n I would have downloaded off my local BBS without my family around! (To be honest, the real limiting factors were the number of floppy disks I owned and that fact that I got caught once, GAH!)
How are you supposed to bang this thing on the side to get those cool blur/gradient effects?
Holy shit, man, sarcasm?