Windows implemented PAE, and it even worked properly... They intentionally disabled support for >4GB on lower end versions of windows, the code actually checks wether you have a license for using more ram. I believe someone documented this this a while ago and made a blog post about it...
I was a heavy user of linux/alpha, even still have several boxes here...
Alpha never had a multi-arch problem, it was pure 64bit from the start and not extended to 64bit later. I was also a fairly heavy Sparc user, and the state of 64bit linux/sparc support was quite poor... We had a 64bit kernel, but the userland was all 32bit and you needed a separate sparc64 compiler to build the kernel.
Windows has no problem running 32bit apps on 64bit hosts, although 64bit windows came years later than 64bit linux...
Drivers ofcourse are a problem on windows, a lot of older hardware has no 64bit drivers and likely never will because the manufacturers have long since abandoned the hardware.
64bit linux has no problems running 32bit binaries either, however since most applications can easily be recompiled as 64bit native, the necessary libraries required for compatibility with 32bit applications are often not installed... Personally i have had no need for 32bit compatibility on any of my 64bit linux machines.
Drivers on linux are much less of a problem, not only has 64bit linux been around a lot longer than 64bit windows, but most of the drivers come with sourcecode and are trivially recompiled...
On 64bit windows and solaris, the 32bit userland libraries are included by default so there is no compatibility problem... Also on Sparc it makes sense for the userland to be 32bit because 64bit sparc programs just use more ram unless you are actively making use of 64bit specific features like >4gb ram etc. On x86-64 you get the benefit of a larger register set, so programs generally run faster as 64bit.
Your VM could be clustered, and could get migrated to another server, giving you another target to attack. Having root on one cluster node might give you the ability to access other nodes, depending on configuration... At the very least you could probably force a vm to be migrated, and then use that to root the other node. You would have access to all the other vm images running on the same host, some of which may have access or common passwords to other images running on other physical hardware...
In some cases some really stupid crap is a dependency and takes forever (why must all graphics-related ports want to compile the complete X11 system for example)
This is why Gentoo has USE flags, so you can turn off optional dependencies if you don't require their functionality.
The Windows model is somewhat better, albeit has it's own problems. Most windows applications, even when they have shared libraries, distribute the shared libraries they use and keep them in their own directories. If you remove these, the system library is then used. It's also possible to just replace a library. However some applications are really bad... and I mean broken-by-design if you use any shared libraries at all...
The windows model is more convenient for end users, at the expense of performance and efficiency... And incidentally, OSX works in a similar way with application bundles.
The system provided shared libraries maintain binary level backwards compatibility by including multiple versions of the library, making it much easier to run old binaries but also causing significant code bloat and resulting in the presence of lots of old and potentially insecure code.
By including libraries with each application instead of installing them centrally, you end up wasting memory if you ever run several programs at once, since each one will load its own copy - thus defeating one of the key benefits of shared libraries.
Also by including libs with each app, you end up with an absolute nightmare should a security vulnerability be discovered in one of them... Instead of updating the library centrally, you now have to update each individual application that uses it, either by installing an updated version of the app (usually by hand since windows lacks any proper package management), or by manually replacing the library version (which may or may not work). You also have various vendors which ship old versions of libraries which already have known security holes!
The biggest problem with the windows model however, is the fact that its mandatory... You cannot go and strip out all the old libraries and configure the system centrally.... Linux can actually operate in the windows way quite easily, but the fact it doesn't is largely because package management and source code availability eliminates most of the hassle of keeping centralised libraries while retaining the benefits. The windows model is largely a kludge designed to mitigate the lack of package management and sourcecode.
The problem with marketshare, is that if you don't have any you get ignored... I'm all for freedom of choice, but until MS are knocked off the monopoly position they are able to restrict choice for others.
Look at browsers, a few years ago IE-only sites were common, putting anyone who chose to use a different browser at a significant disadvantage. Now you can be pretty sure that the vast majority of sites will work on any relatively modern browser, and you are free to choose whatever browser you wish without being punished for it.
The same needs to happen elsewhere, with OS, with document formats, once we're in a position where choosing anything other than ms is not punished things will be so much better.
Certs do not prove that you have a great deal of expertise, or that you enjoy learning about the system in depth... They prove that you were able to pass the exam, by fair means or foul.
Many people have zero interest in the field and are solely concerned with doing the bare minimum to get paid. They will learn the absolute minimum to pass the cert, and if they can repeat the answers without undertanding the reasons behind all the better. That's not to say there aren't exceptions, but based on experience there are a LOT of people out there with certs and no actual knowledge, experience or even interest in technology.
I would generally ignore the certs, and concentrate more on experience, what people do in their spare time, and their ability to answer questions or troubleshoot problems presented to them during interview.
Not only that, but the best people are those who have experience of multiple systems...
If someone knows only windows, or knows only linux, then that's what they will push for every time regardless of what's actually the better option. Just like there are plenty of people out there who will push for expensive oracle databases for even the most trivial of tasks.
Also find out what someone does at home, is it a purely 9-5 for them or are they interested in computing at home?
And for windows specific questions, see how they fare when something goes wrong and they have to venture off the mcse path, eg they have to resort to command line, registry hacks or recovery boot media to fix something... A lot of so called windows "experts" get completely stumped when faced with something that can't be done through the gui.
Also the term "windows professional" is pointless, it just means "someone who makes their living using windows" and has nothing to do with their competence at the job. Many people do such things for a living and are highly incompetent, they are professionals but i wouldn't want to hire them.
Ponzi schemes are illegal in most countries anyway, irrespective of the currency (or in some cases, goods) used to fund the scheme. Regulation of the currency is entirely separate from use of the currency to commit other types of fraud. Billions of dollars and various other currencies are involved in illegal activities of one form or another on a continual basis.
Yes, i see the word "professional" being misused a lot... As you pointed out, it's purely to do with using it for paid work vs using it for personal reasons. There are plenty of amateurs in all manner of fields who are considerably more skilled than professionals (and often a lot less likely to cut corners because theyre doing something they enjoy rather than a boring 9-5).
Not only did they hang low ranking germans who were only following their orders, and who would likely have been executed or tortured by their own superiors had they not obeyed those orders... But they didn't do anything whatsoever about the various atrocities committed by stalin and his followers.
As they say, history is written by the victors.
If you were an ordinary german at that time, and hitler gave you an order... Your choice was between obeying it, or face being rounded by by the ss and taken to a concentration camp as a traitor. Regardless of how immoral you felt the order was, your only other alternatives were either extremely risky (try to escape and defect, you might get caught doing so, or germany may win the war and recapture you), or involved certain torture and death.
It's very easy saying the orders they followed were immoral, but when faced with the choice of either torturing and killing total strangers, or watching your family being tortured and killed and then being tortured and killed yourself the instinct for self preservation usually takes over.
If you treat your staff poorly, they will do only the bare minimum, as they have no incentive to do anything more. Typically almost all of the staff will be behaving the same way.
Also, in countries with good employee protection legislation, you can't easily be fired unless you do something extremely stupid... If you are complying with the terms of your contract but doing the bare minimum required then they have no legitimate reason to fire you.
Most likely the products banned were the ones the case was originally brought again... Their current products may also technically infringe, but by the time a court case is brought and heard they too will be obsolete. The legal process, like many other things, is simply too slow for the modern world.
Most security related appliances (eg firewalls) run on open source code.
Various security standards that companies or government agencies are expected to follow are much tougher for unix like system and often have requirements that windows is unable to meet (eg secure storage of passwords, removal of unnecessary software from the system)... windows basically gets a free pass on several things that a unix system would be marked down for, because windows is incapable of meeting the criteria at all. Unfortunately the resulting standards are considered equal, despite that clearly not being the case.
Many arguments against open source center around bugs or deficient features, and yet these same people will quite happily continue using proprietary software which has its own different set of bugs and deficiencies.
And yet it should really be held to a lower standard, because you've not paid so much for it.. You expect a cheaper product to be inferior, and if the savings outweigh the inferiority (ie the product is adequate) then it's acceptable... On the other hand, if the cheaper product is superior then it's exceptional value. Conversely, a product that costs more has to provide a lot more value for money to justify the price differential, otherwise its a rip off.
Prove it. I'm basing this assumption on the fact that most people want to ensure they have food on their plates. Not doing your job ensures the opposite.
Doing the bare minimum required by the job puts food on their plates... If sloppy buggy code is accepted (which it usually is), then that sets the bar, and if the company sets unrealistic requirements then noone will be able to meet them at all.
Make the vendor liable, not the individual developer... If the vendor wants to decrease their risk, then they can set realistic deadlines and hire competent developers.
Or you could limit the liability to the price paid for the software that failed... Of course this is open to abuse, "yes the software only costs $1, but the mandatory support contract is $1,000,000" or "Each file is a separate product and costs $1, there are 1,000,000 files so if you find a bug in one file we're only liable for $1"
The trouble is the managers are generally not very technical and are unable to differentiate between someone highly competent and a blagger...
They also judge developers by the wrong standards, someone who turns up in ripped jeans and an old geeky t-shirt is likely to be a much better developer than the guy who turns up in a new suit, but managers will typically hire the latter.
And finally managers can only hire whoever applies (and isnt pre-screened out by hr in some cases), and the only control they have over who applies is basically the budget their bosses allocate them for hiring... If you are offering low wages, you will get very few applicants and most of them will be incompetent. The odd time you get lucky and hire a good applicant they won't stick around because sooner or later they will realise they can make more elsewhere, and were usually just using you to get some job experience and a reference under their belt.
That's the problem of the lowest bidder system... Companies want to reduce costs, and don't really understand much if anything about technology... So the developer who estimates 100 hours is perceived as bad value relative to the developer who estimates he can do the same thing in 20 hours.
In reality, the 20 hour developer will probably overrun his 20 hours, and will also almost certainly write shoddy code which is full of bugs and difficult to maintain. Although the initial quote is obviously cheaper, once you've factored in overruns, cost of fixing bugs, cost of downtime or other harm caused by bugs, cost of working around bugs, cost of future maintenance, potential cost of a complete rewrite etc it can usually work out a lot more expensive.
And yet, businesses stumble into the same mistakes over and over again.
There is a severe shortage of competent people at all levels, what this means is that:
Management are not clued up enough in the field to spot someone who is incompetent... Even if someone incompetent is identified, they are better than nothing and it is extremely difficult to find replacements, many of whom may even be worse. There are lots of people who are incompetent on a technical level, but very good at manipulating non technical management... Competent people will generally see through such incompetence and manipulation right away, but most companies don't have anyone sufficiently clued up.
As the industry matures over time, competent people will gradually start to displace the incompetent and things will start to improve... But this will take a very long time.
Big expensive software is rarely bug free, infact it's usually a lot worse... The only difference is that users put up with the bugs and work around them, whereas for smaller suppliers they complain and threaten to move to something else.
What evidence is there that card numbers were encrypted, or that the encryption was adequate and not misused?
Based on sony, didn't they screw up with the ps3 and give away their private key? That surely demonstrates form for poor use of encryption on the part of sony...
"encryption" is not a magic bullet, although people often see it that way... i have seen many implementations where "encryption" was used, while providing zero security benefit. lots of places will store their data on an encrypted filesystem for instance, but because its mounted anyone who compromises the box can easily access the data anyway... And to make matters worse, since entering a key on bootup is inconvenient, they have this done automatically, so the key is stored somewhere on the box anyway and all the hacker needs to do is find it.
What's wrong with basic auth over ssl? it's still encrypted... no worse than form based auth.
the biggest problem is that users have no idea how their data will be stored or used on the back end... the frontend auth system, wether it uses ssl, basic auth, forms or whatever, is visible to the user, but beyond that your data is going into an unknown black box.. if you've no idea what is being done at the backend, you cant make an informed decision as to wether you want to trust a given site with your info or not.
Slashdot Mirror
I played with m68k linux on an amiga fairly recently, and there does seem to be some active development going on...
Windows implemented PAE, and it even worked properly... They intentionally disabled support for >4GB on lower end versions of windows, the code actually checks wether you have a license for using more ram. I believe someone documented this this a while ago and made a blog post about it...
I was a heavy user of linux/alpha, even still have several boxes here...
Alpha never had a multi-arch problem, it was pure 64bit from the start and not extended to 64bit later. I was also a fairly heavy Sparc user, and the state of 64bit linux/sparc support was quite poor... We had a 64bit kernel, but the userland was all 32bit and you needed a separate sparc64 compiler to build the kernel.
Windows has no problem running 32bit apps on 64bit hosts, although 64bit windows came years later than 64bit linux...
Drivers ofcourse are a problem on windows, a lot of older hardware has no 64bit drivers and likely never will because the manufacturers have long since abandoned the hardware.
64bit linux has no problems running 32bit binaries either, however since most applications can easily be recompiled as 64bit native, the necessary libraries required for compatibility with 32bit applications are often not installed... Personally i have had no need for 32bit compatibility on any of my 64bit linux machines.
Drivers on linux are much less of a problem, not only has 64bit linux been around a lot longer than 64bit windows, but most of the drivers come with sourcecode and are trivially recompiled...
On 64bit windows and solaris, the 32bit userland libraries are included by default so there is no compatibility problem... Also on Sparc it makes sense for the userland to be 32bit because 64bit sparc programs just use more ram unless you are actively making use of 64bit specific features like >4gb ram etc. On x86-64 you get the benefit of a larger register set, so programs generally run faster as 64bit.
Your VM could be clustered, and could get migrated to another server, giving you another target to attack.
Having root on one cluster node might give you the ability to access other nodes, depending on configuration... At the very least you could probably force a vm to be migrated, and then use that to root the other node.
You would have access to all the other vm images running on the same host, some of which may have access or common passwords to other images running on other physical hardware...
In some cases some really stupid crap is a dependency and takes forever (why must all graphics-related ports want to compile the complete X11 system for example)
This is why Gentoo has USE flags, so you can turn off optional dependencies if you don't require their functionality.
The Windows model is somewhat better, albeit has it's own problems. Most windows applications, even when they have shared libraries, distribute the shared libraries they use and keep them in their own directories. If you remove these, the system library is then used. It's also possible to just replace a library. However some applications are really bad... and I mean broken-by-design if you use any shared libraries at all...
The windows model is more convenient for end users, at the expense of performance and efficiency... And incidentally, OSX works in a similar way with application bundles.
The system provided shared libraries maintain binary level backwards compatibility by including multiple versions of the library, making it much easier to run old binaries but also causing significant code bloat and resulting in the presence of lots of old and potentially insecure code.
By including libraries with each application instead of installing them centrally, you end up wasting memory if you ever run several programs at once, since each one will load its own copy - thus defeating one of the key benefits of shared libraries.
Also by including libs with each app, you end up with an absolute nightmare should a security vulnerability be discovered in one of them... Instead of updating the library centrally, you now have to update each individual application that uses it, either by installing an updated version of the app (usually by hand since windows lacks any proper package management), or by manually replacing the library version (which may or may not work). You also have various vendors which ship old versions of libraries which already have known security holes!
The biggest problem with the windows model however, is the fact that its mandatory... You cannot go and strip out all the old libraries and configure the system centrally.... Linux can actually operate in the windows way quite easily, but the fact it doesn't is largely because package management and source code availability eliminates most of the hassle of keeping centralised libraries while retaining the benefits. The windows model is largely a kludge designed to mitigate the lack of package management and sourcecode.
The problem with marketshare, is that if you don't have any you get ignored...
I'm all for freedom of choice, but until MS are knocked off the monopoly position they are able to restrict choice for others.
Look at browsers, a few years ago IE-only sites were common, putting anyone who chose to use a different browser at a significant disadvantage. Now you can be pretty sure that the vast majority of sites will work on any relatively modern browser, and you are free to choose whatever browser you wish without being punished for it.
The same needs to happen elsewhere, with OS, with document formats, once we're in a position where choosing anything other than ms is not punished things will be so much better.
Certs do not prove that you have a great deal of expertise, or that you enjoy learning about the system in depth... They prove that you were able to pass the exam, by fair means or foul.
Many people have zero interest in the field and are solely concerned with doing the bare minimum to get paid. They will learn the absolute minimum to pass the cert, and if they can repeat the answers without undertanding the reasons behind all the better. That's not to say there aren't exceptions, but based on experience there are a LOT of people out there with certs and no actual knowledge, experience or even interest in technology.
I would generally ignore the certs, and concentrate more on experience, what people do in their spare time, and their ability to answer questions or troubleshoot problems presented to them during interview.
Not only that, but the best people are those who have experience of multiple systems...
If someone knows only windows, or knows only linux, then that's what they will push for every time regardless of what's actually the better option. Just like there are plenty of people out there who will push for expensive oracle databases for even the most trivial of tasks.
Also find out what someone does at home, is it a purely 9-5 for them or are they interested in computing at home?
And for windows specific questions, see how they fare when something goes wrong and they have to venture off the mcse path, eg they have to resort to command line, registry hacks or recovery boot media to fix something... A lot of so called windows "experts" get completely stumped when faced with something that can't be done through the gui.
Also the term "windows professional" is pointless, it just means "someone who makes their living using windows" and has nothing to do with their competence at the job. Many people do such things for a living and are highly incompetent, they are professionals but i wouldn't want to hire them.
Ponzi schemes are illegal in most countries anyway, irrespective of the currency (or in some cases, goods) used to fund the scheme.
Regulation of the currency is entirely separate from use of the currency to commit other types of fraud. Billions of dollars and various other currencies are involved in illegal activities of one form or another on a continual basis.
Yes, i see the word "professional" being misused a lot... As you pointed out, it's purely to do with using it for paid work vs using it for personal reasons.
There are plenty of amateurs in all manner of fields who are considerably more skilled than professionals (and often a lot less likely to cut corners because theyre doing something they enjoy rather than a boring 9-5).
Not only did they hang low ranking germans who were only following their orders, and who would likely have been executed or tortured by their own superiors had they not obeyed those orders...
But they didn't do anything whatsoever about the various atrocities committed by stalin and his followers.
As they say, history is written by the victors.
If you were an ordinary german at that time, and hitler gave you an order... Your choice was between obeying it, or face being rounded by by the ss and taken to a concentration camp as a traitor. Regardless of how immoral you felt the order was, your only other alternatives were either extremely risky (try to escape and defect, you might get caught doing so, or germany may win the war and recapture you), or involved certain torture and death.
It's very easy saying the orders they followed were immoral, but when faced with the choice of either torturing and killing total strangers, or watching your family being tortured and killed and then being tortured and killed yourself the instinct for self preservation usually takes over.
Depends how the company treats their staff...
If you treat your staff poorly, they will do only the bare minimum, as they have no incentive to do anything more. Typically almost all of the staff will be behaving the same way.
Also, in countries with good employee protection legislation, you can't easily be fired unless you do something extremely stupid... If you are complying with the terms of your contract but doing the bare minimum required then they have no legitimate reason to fire you.
Most likely the products banned were the ones the case was originally brought again...
Their current products may also technically infringe, but by the time a court case is brought and heard they too will be obsolete. The legal process, like many other things, is simply too slow for the modern world.
FOSS is often held to a higher standard...
Most security related appliances (eg firewalls) run on open source code.
Various security standards that companies or government agencies are expected to follow are much tougher for unix like system and often have requirements that windows is unable to meet (eg secure storage of passwords, removal of unnecessary software from the system)... windows basically gets a free pass on several things that a unix system would be marked down for, because windows is incapable of meeting the criteria at all. Unfortunately the resulting standards are considered equal, despite that clearly not being the case.
Many arguments against open source center around bugs or deficient features, and yet these same people will quite happily continue using proprietary software which has its own different set of bugs and deficiencies.
And yet it should really be held to a lower standard, because you've not paid so much for it.. You expect a cheaper product to be inferior, and if the savings outweigh the inferiority (ie the product is adequate) then it's acceptable... On the other hand, if the cheaper product is superior then it's exceptional value. Conversely, a product that costs more has to provide a lot more value for money to justify the price differential, otherwise its a rip off.
Prove it. I'm basing this assumption on the fact that most people want to ensure they have food on their plates. Not doing your job ensures the opposite.
Doing the bare minimum required by the job puts food on their plates... If sloppy buggy code is accepted (which it usually is), then that sets the bar, and if the company sets unrealistic requirements then noone will be able to meet them at all.
Make the vendor liable, not the individual developer...
If the vendor wants to decrease their risk, then they can set realistic deadlines and hire competent developers.
Or you could limit the liability to the price paid for the software that failed...
Of course this is open to abuse, "yes the software only costs $1, but the mandatory support contract is $1,000,000" or "Each file is a separate product and costs $1, there are 1,000,000 files so if you find a bug in one file we're only liable for $1"
The trouble is the managers are generally not very technical and are unable to differentiate between someone highly competent and a blagger...
They also judge developers by the wrong standards, someone who turns up in ripped jeans and an old geeky t-shirt is likely to be a much better developer than the guy who turns up in a new suit, but managers will typically hire the latter.
And finally managers can only hire whoever applies (and isnt pre-screened out by hr in some cases), and the only control they have over who applies is basically the budget their bosses allocate them for hiring... If you are offering low wages, you will get very few applicants and most of them will be incompetent. The odd time you get lucky and hire a good applicant they won't stick around because sooner or later they will realise they can make more elsewhere, and were usually just using you to get some job experience and a reference under their belt.
That's the problem of the lowest bidder system...
Companies want to reduce costs, and don't really understand much if anything about technology... So the developer who estimates 100 hours is perceived as bad value relative to the developer who estimates he can do the same thing in 20 hours.
In reality, the 20 hour developer will probably overrun his 20 hours, and will also almost certainly write shoddy code which is full of bugs and difficult to maintain. Although the initial quote is obviously cheaper, once you've factored in overruns, cost of fixing bugs, cost of downtime or other harm caused by bugs, cost of working around bugs, cost of future maintenance, potential cost of a complete rewrite etc it can usually work out a lot more expensive.
And yet, businesses stumble into the same mistakes over and over again.
PHP suffers the same problem as any language thats accessible to novice programmers...
Novice programmers will use it, and create poor code with it...
And then non technical management with no understanding of security or technology will decide to start putting such code into production.
Most decisions are made by people not qualified to make them.
There is a severe shortage of competent people at all levels, what this means is that:
Management are not clued up enough in the field to spot someone who is incompetent...
Even if someone incompetent is identified, they are better than nothing and it is extremely difficult to find replacements, many of whom may even be worse.
There are lots of people who are incompetent on a technical level, but very good at manipulating non technical management...
Competent people will generally see through such incompetence and manipulation right away, but most companies don't have anyone sufficiently clued up.
As the industry matures over time, competent people will gradually start to displace the incompetent and things will start to improve... But this will take a very long time.
Big expensive software is rarely bug free, infact it's usually a lot worse... The only difference is that users put up with the bugs and work around them, whereas for smaller suppliers they complain and threaten to move to something else.
What evidence is there that card numbers were encrypted, or that the encryption was adequate and not misused?
Based on sony, didn't they screw up with the ps3 and give away their private key? That surely demonstrates form for poor use of encryption on the part of sony...
"encryption" is not a magic bullet, although people often see it that way... i have seen many implementations where "encryption" was used, while providing zero security benefit. lots of places will store their data on an encrypted filesystem for instance, but because its mounted anyone who compromises the box can easily access the data anyway... And to make matters worse, since entering a key on bootup is inconvenient, they have this done automatically, so the key is stored somewhere on the box anyway and all the hacker needs to do is find it.
What's wrong with basic auth over ssl? it's still encrypted...
no worse than form based auth.
the biggest problem is that users have no idea how their data will be stored or used on the back end... the frontend auth system, wether it uses ssl, basic auth, forms or whatever, is visible to the user, but beyond that your data is going into an unknown black box..
if you've no idea what is being done at the backend, you cant make an informed decision as to wether you want to trust a given site with your info or not.