There are important reasons why malware targets flash/acrobat/java...
1, this software is ubiquitous... they used to target internet explorer before, but now its down to >50% marketshare its a less attractive target. 2, it can be easily reached via the browser - ie less social engineering required. 3, it is hardly ever updated, neither windows nor osx has a decent centralised update system that takes care of third party software like this. you might get a crude updater program, but hats useless in a corporate environment where you aren't given admin rights.
Windows is only the largest target on the desktop... On mobiles, embedded devices, servers, supercomputers, linux is a serious player.
Sur greater linux marketshare would increase desktop oriented malware, but it will never be quite as serious as windows because of various design choices that make a unix based system harder to infect.
Hiring cheap staff is an absolute false economy, someone cheap might be able to get a windows network limping along, but it will be horrendously insecure and unstable, not to mention that you will need considerably more of these cheap staff just to handle the day to day tasks. These cheap staff could also get a linux network limping along, it would still be more secure and stable than windows but still not great, the only difference is that these cheap staff probably dont have the confidence to claim linux experience.
Wether running windows or linux, you need competent staff. Competent staff will provide a more secure, more stable network, and you will need less of them vs how many incompetent staff you would need. You will generally need less competent linux admins than windows admins for the same number of systems too.
Competent linux admins will generally have a decent level of windows experience, but not necessarily the other way round.
When it comes to software, it's very unlikely that your business needs any particular software, what they need is software that serves a particular purpose and there are generally multiple choices, increasingly such software presents a browser based interface these days too so the client is irrelevant.
Also as ridiculous as it sounds, the inflexibility of software has often forced many businesses to adapt their way of doing things to how the software works... This is certainly not a good thing.
For hardware, server hardware almost always works just fine with linux, it would be stupid for a server vendor to provide non linux compatible hardware given that linux is a significant player in the server market. When it comes to other things, like laptops and lowend desktops sure you have to look for hardware which is known to be compatible with linux, but anyone semi competent will be doing the same thing when buying windows systems too... You want to know what hardware you have, and you want to be sure you have quality components... Some of the more questionable lowend brands of hardware may not be supported by linux, but it may also have buggy windows drivers, hardware bugs or simply be inferior (eg wifi card with much lesser range).
The smaller the cost of a system, the bigger proportion is made up by windows... And let's not forget the hidden costs: If you have a windows volume license, its just an "upgrade" license on top of the OEM version you pay for with the hardware... You will probably need an AV product... Chances are you will have msoffice, which often costs more than the hardware. If you have multiple windows machines, you will probably have an active directory domain too, which then required the more expensive "server" version of windows. If you have windows servers, you will also need CALs etc, so you will spend a lot of time (or even hire someone full time) to manage license compliance. The built in patch management of windows is crap, you will need third party tools (usually costly) to verify windows updates and provide patching for third party software.
Well seeing as it was your HBA drivers at fault, you have far more options with Linux... It seems you were beholden to MS for the OS, and then to HP for the drivers... At least with Linux, either HP or the Linux vendor would be able to debug and/or fix the HBA driver, you could even hire developers to fix it yourself if its important enough to you.
Also that's a pretty critical bug, drivers for a server grade raid controller have no business failing under load...
It's also insane you took that long to diagnose the problem, it should have been pretty obvious it was the io system and not the database at fault.
Large companies do use a lot of linux, but generally only on server and security critical (eg firewall) devices... Most companies operate on the assumption that the outside (which is often a linux based firewall) is hard, while the inside (often active directory and windows workstations) is soft.
There is a _LOT_ of ignorance and general incompetence in the IT field, it's not uncommon to find people who either have no idea Linux exists, or are rabidly against it (because its free|because they dont understand it and fear losing their job to someone who does). Amusingly, most of these anti-linux shops who are most vocal about not using linux, actually have several embedded linux devices without realising it.
Then of course you have lock in, a company of any size is likely to have lots of applications which are used by various people within the organisation, some of which won't be cross platform and therefore artificially increase the cost of migrating away from windows.
There is also fear, people are scared of the unknown... You will often find people who have no experience of linux, and who will fight hard against it because they fear losing their job to someone who does have linux knowledge. Of course, the real problem is that they are unwilling to learn new skills, a fatal flaw in an industry such as this where things change so rapidly.
And don't forget misinformation, people will often say that linux "has no commercial support" for instance, which is obviously complete bullshit.
Personally i think that long term, linux will gradually take over unless microsoft succeed in doing something drastic to make it illegal... As things mature, costs will push down towards cost price as has already happened with hardware, i predict the same will happen with mainstream software eventually.
People gradually migrate towards more open systems, due to cheaper pricing and more competition. That's why we're stuck with the ibm compatible these days and not any of the considerably superior but proprietary alternative architectures.
Well said, i only run an ad blocker because of all the intrusive ads (especially those with video and/or sound)... When it was simple static banner and text ads i didn't have a problem.
Just because you watch ads, doesn't mean you're actually going to buy the products featured in them. If i am subjected to ads which are too pushy, irritating or frequent i will go out of my way to avoid the product in question and most likely the company making it... I have actively sought out alternatives many times when the supplier i knew of was one that has irritated me through commercials.
Similarly, i now browse with an adblocker... Text ads i had no problem with, neither most graphical banners... Animated ads started to annoy me, but ads with sound were the final straw... The amount of times my computer would start making a noise and i had to hunt through 50+ browser tabs to find the source.
Ads which delay page loading also irritate me severely, and banner ads where the size is not pre-declared in the html so the page reformats itself as the images load.
Good ads are subtle, you arent paying much attention but they go in subconsciously... Then when your going to buy that kind of product, you lean towards the one you saw advertised or you think of it first.
On the other hand i detest ads which are in your face, if they annoy me sufficiently then i will certainly remember but in a bad way and i will explicitly avoid their products in future as well as telling other people to do the same.
Product placements are an interesting one, if done in a subtle way it actually improves the program... Someone drinking a coke is more realistic than someone drinking a generic cola brand that has been fabricated specifically for the show. But when done poorly as you mention, with the ridiculous zooming in and holding the product up to the camera in a way that you would never do if you were just using it normally really messes with the show.
It's worth noting that in open source software like myth, you get commercial detection and skipping etc... In commercially produced devices, especially the big brands, you just get fast forward (which is quite awkward to use for skipping ads), no skipping, no commercial detection. Same with video players, one of the most useful features in mplayer is skip, very few other video players seem to have this.
I cannot use the vast majority of those streaming tv services because:
1, they refuse to serve me content because of where i live 2, they refuse to serve me content in a format i can play 3, they refuse to let me download it at night and watch it later (i have bandwidth caps during the hours when i might want to watch tv)
TV here isn't quite as bad as it was in the us, but we still have lots of commercials...
But welcome to capitalism, greed ensures that they will always try to push customers as far as they can... this has resulted in increased prices and increased commercials over time, and it will only get worse until not only are their actions noticeably decreasing profits, but they can't find any consumer hostile way of keeping you locked in... Actually improving the service will be the absolute last resort.
Going to the toilet, or getting up to get a drink/snack is also a common way to circumvent commercials...
I can understand commercials as a way to fund free-to-air channels, what i hate are subscription services which also have commercials... If i already paid for it, i don't want to pay again by watching commercials!
Very few commercially available DVR systems have a skip function, usually only a fast forward function which is very irritating to use.. I'm sure this is down to pressure from operators rather than any technical reasons.
You pay a fixed amount of tax irrespective of how often you want to speak in a public space or what you want to say...
This is no different from unlimited use internet, where you pay the same amount and can use it as much as you like.
In either case the only restrictions are natural ones, eg the amount of time and physical space for speaking in public, and the amount of physical bandwidth available on an internet connection.
If someone is not using a public space for something, then that space is wasted and the wasted time can never be reused... Similarly with bandwidth, whenever a connection runs at less than 100% capacity, that capacity is wasted. It's not like fuel where unused fuel can be saved for later.
Simple, they would only provide the inferior plans in areas where they didn't face competition... The large providers would then use the extra profits made in these monopoly areas to undercut the competition in those areas where competition exists, until those competitors fold.
Try comparing the price and service levels in different areas, and then see what other options are available in those areas...
Exactly, more efficient/fair usage is to let the network itself take care of things... If peak time usage is slow, people will be encouraged to do heavier things off peak instead...
One of the biggest problems here btw is streaming... I can download a torrent overnight and watch it in the morning no problem, but most of the official sites will only let you stream, which means you are forced to consume bandwidth at the time you want to watch.
Another is the ridiculous insistence on specific working hours, many people could do their job equally well at any time of the day, not just 9-5, and then internet, transport and various other things would have far more spread out and manageable load instead of daily massive peaks.
If you can reach a host over the network, windows will happily disclose its hostname via several of its default protocols (netbios/nbname, rpc, rdp etc), no need to find physical labels. Also on older versions of windows, the SID could be dumped out remotely by default too.
Because only the large incumbents are able to jump through all the hoops required to do the government contracts... And all the large incumbents are equally incompetent, so its not as if they can use someone better.
Even worse considering that the primary purposes such tokens are used for, is to mitigate against the damage which can be caused if a password is leaked... And one of the most common ways for passwords to leak, is via keyloggers which require privileged access to a compromised host anyway.
So if you have the capability to run a keylogger, you have the capability to copy the software token. You only gain any benefit from the system, if you run the soft token on a physically separate device and even then its easy to screw it up (eg run it on a phone, connect that phone to the compromised workstation via usb).
RSA keeps a copy of all the seeds, in a database linked to the serial numbers of the tokens... RSA suffered a security breach during which that database was leaked...
If you can acquire that database, then having the serial number is game over.
Protecting the algorithm is pointless, it could always be reverse engineered from the server implementation which has been available for years. A program called 'cain' has had an implementation of this algorithm for quite some time.
The strength of the system is protecting the seed values, and this is dependent not only on the customer to not leak their seeds, but also on rsa to not leak everyone's seeds.
The algorithm has long ago been reverse engineered, i believe a program called "cain" has been able to generate token values for quite some time when given the initial seed value.
The big flaw in this system however, is that the seed values are provided by rsa and not generated locally by the customer, so if rsa gets hacked (as they did), or employs someone who can be bribed etc, the seeds leak and the whole system is compromised. You as a customer are dependent on rsa, but you have no control over them, this is a big risk.
I would only consider using a token scheme where: a, the algorithm is published and has been reviewed by competent third parties. b, anything private like seeds of privkeys is generated by the end user, not beholden to a third party.
The way the end users see it, is they have a choice between an open source product they have never heard of or which they believe to be inferior, which costs nothing, and a big name proprietary product they have heard of which also costs nothing. Because they can get the big name product for free, they never even bother investigating the open source one at all.
If they were forced to pay for proprietary software instead of pirating it, then users would be far more likely to consider cheaper alternatives and do some research.
It's likely that many of these companies would actually make a much bigger loss if there was no piracy... Piracy is about the biggest factor keeping use of free software down, those who can't afford the well known proprietary brands simply pirate it and that keeps the marketshare up and ensures that free alternatives remain niche.
If you eliminated piracy entirely, then based on a very conservative estimate of 27% using pirate software (im sure more do, and simply didn't admit it), and half of those moving to at least some free alternatives because they cant afford (or refuse) to pay for all the software they use... You would see a 10% marketshare for free software. At the moment desktop linux is a small enough niche that hardware manufacturers and oems generally ignore it, 10% would be high enough that it wouldn't be ignored, and you'd end up with a cascade reaction.
People are generally frugal, and will not waste money frivolously unless they have plenty of it... If you have two products which do the same thing, one is free and one costs even a relatively small amount, the one that costs has to be both significantly better and still easily affordable. People compromise quality for price all the time... And of course, a quality tradeoff isn't always the case, a lot of free software is superior to commercial alternatives and even that which isn't would rapidly improve once it attracts more attention.
Because Apple are usually smart enough to realise that serial numbers and drm schemes only cause inconvenience to paying customers... I have seen countless paying customers inconvenienced because they lost their serial or had problems with a drm scheme. I know plenty of pirates, and none of them have such problems because they downloaded fixed versions.
Slashdot Mirror
There are important reasons why malware targets flash/acrobat/java...
1, this software is ubiquitous... they used to target internet explorer before, but now its down to >50% marketshare its a less attractive target.
2, it can be easily reached via the browser - ie less social engineering required.
3, it is hardly ever updated, neither windows nor osx has a decent centralised update system that takes care of third party software like this. you might get a crude updater program, but hats useless in a corporate environment where you aren't given admin rights.
Windows is only the largest target on the desktop...
On mobiles, embedded devices, servers, supercomputers, linux is a serious player.
Sur greater linux marketshare would increase desktop oriented malware, but it will never be quite as serious as windows because of various design choices that make a unix based system harder to infect.
Hiring cheap staff is an absolute false economy, someone cheap might be able to get a windows network limping along, but it will be horrendously insecure and unstable, not to mention that you will need considerably more of these cheap staff just to handle the day to day tasks.
These cheap staff could also get a linux network limping along, it would still be more secure and stable than windows but still not great, the only difference is that these cheap staff probably dont have the confidence to claim linux experience.
Wether running windows or linux, you need competent staff. Competent staff will provide a more secure, more stable network, and you will need less of them vs how many incompetent staff you would need. You will generally need less competent linux admins than windows admins for the same number of systems too.
Competent linux admins will generally have a decent level of windows experience, but not necessarily the other way round.
When it comes to software, it's very unlikely that your business needs any particular software, what they need is software that serves a particular purpose and there are generally multiple choices, increasingly such software presents a browser based interface these days too so the client is irrelevant.
Also as ridiculous as it sounds, the inflexibility of software has often forced many businesses to adapt their way of doing things to how the software works... This is certainly not a good thing.
For hardware, server hardware almost always works just fine with linux, it would be stupid for a server vendor to provide non linux compatible hardware given that linux is a significant player in the server market. When it comes to other things, like laptops and lowend desktops sure you have to look for hardware which is known to be compatible with linux, but anyone semi competent will be doing the same thing when buying windows systems too... You want to know what hardware you have, and you want to be sure you have quality components... Some of the more questionable lowend brands of hardware may not be supported by linux, but it may also have buggy windows drivers, hardware bugs or simply be inferior (eg wifi card with much lesser range).
The smaller the cost of a system, the bigger proportion is made up by windows... And let's not forget the hidden costs:
If you have a windows volume license, its just an "upgrade" license on top of the OEM version you pay for with the hardware...
You will probably need an AV product...
Chances are you will have msoffice, which often costs more than the hardware.
If you have multiple windows machines, you will probably have an active directory domain too, which then required the more expensive "server" version of windows.
If you have windows servers, you will also need CALs etc, so you will spend a lot of time (or even hire someone full time) to manage license compliance.
The built in patch management of windows is crap, you will need third party tools (usually costly) to verify windows updates and provide patching for third party software.
Well seeing as it was your HBA drivers at fault, you have far more options with Linux... It seems you were beholden to MS for the OS, and then to HP for the drivers... At least with Linux, either HP or the Linux vendor would be able to debug and/or fix the HBA driver, you could even hire developers to fix it yourself if its important enough to you.
Also that's a pretty critical bug, drivers for a server grade raid controller have no business failing under load...
It's also insane you took that long to diagnose the problem, it should have been pretty obvious it was the io system and not the database at fault.
Large companies do use a lot of linux, but generally only on server and security critical (eg firewall) devices... Most companies operate on the assumption that the outside (which is often a linux based firewall) is hard, while the inside (often active directory and windows workstations) is soft.
There is a _LOT_ of ignorance and general incompetence in the IT field, it's not uncommon to find people who either have no idea Linux exists, or are rabidly against it (because its free|because they dont understand it and fear losing their job to someone who does). Amusingly, most of these anti-linux shops who are most vocal about not using linux, actually have several embedded linux devices without realising it.
Then of course you have lock in, a company of any size is likely to have lots of applications which are used by various people within the organisation, some of which won't be cross platform and therefore artificially increase the cost of migrating away from windows.
There is also fear, people are scared of the unknown... You will often find people who have no experience of linux, and who will fight hard against it because they fear losing their job to someone who does have linux knowledge. Of course, the real problem is that they are unwilling to learn new skills, a fatal flaw in an industry such as this where things change so rapidly.
And don't forget misinformation, people will often say that linux "has no commercial support" for instance, which is obviously complete bullshit.
Personally i think that long term, linux will gradually take over unless microsoft succeed in doing something drastic to make it illegal... As things mature, costs will push down towards cost price as has already happened with hardware, i predict the same will happen with mainstream software eventually.
People gradually migrate towards more open systems, due to cheaper pricing and more competition. That's why we're stuck with the ibm compatible these days and not any of the considerably superior but proprietary alternative architectures.
Well said, i only run an ad blocker because of all the intrusive ads (especially those with video and/or sound)...
When it was simple static banner and text ads i didn't have a problem.
Just because you watch ads, doesn't mean you're actually going to buy the products featured in them.
If i am subjected to ads which are too pushy, irritating or frequent i will go out of my way to avoid the product in question and most likely the company making it... I have actively sought out alternatives many times when the supplier i knew of was one that has irritated me through commercials.
Similarly, i now browse with an adblocker... Text ads i had no problem with, neither most graphical banners...
Animated ads started to annoy me, but ads with sound were the final straw... The amount of times my computer would start making a noise and i had to hunt through 50+ browser tabs to find the source.
Ads which delay page loading also irritate me severely, and banner ads where the size is not pre-declared in the html so the page reformats itself as the images load.
Good ads are subtle, you arent paying much attention but they go in subconsciously... Then when your going to buy that kind of product, you lean towards the one you saw advertised or you think of it first.
On the other hand i detest ads which are in your face, if they annoy me sufficiently then i will certainly remember but in a bad way and i will explicitly avoid their products in future as well as telling other people to do the same.
Product placements are an interesting one, if done in a subtle way it actually improves the program... Someone drinking a coke is more realistic than someone drinking a generic cola brand that has been fabricated specifically for the show.
But when done poorly as you mention, with the ridiculous zooming in and holding the product up to the camera in a way that you would never do if you were just using it normally really messes with the show.
It's worth noting that in open source software like myth, you get commercial detection and skipping etc...
In commercially produced devices, especially the big brands, you just get fast forward (which is quite awkward to use for skipping ads), no skipping, no commercial detection.
Same with video players, one of the most useful features in mplayer is skip, very few other video players seem to have this.
I cannot use the vast majority of those streaming tv services because:
1, they refuse to serve me content because of where i live
2, they refuse to serve me content in a format i can play
3, they refuse to let me download it at night and watch it later (i have bandwidth caps during the hours when i might want to watch tv)
TV here isn't quite as bad as it was in the us, but we still have lots of commercials...
But welcome to capitalism, greed ensures that they will always try to push customers as far as they can... this has resulted in increased prices and increased commercials over time, and it will only get worse until not only are their actions noticeably decreasing profits, but they can't find any consumer hostile way of keeping you locked in... Actually improving the service will be the absolute last resort.
Going to the toilet, or getting up to get a drink/snack is also a common way to circumvent commercials...
I can understand commercials as a way to fund free-to-air channels, what i hate are subscription services which also have commercials... If i already paid for it, i don't want to pay again by watching commercials!
Very few commercially available DVR systems have a skip function, usually only a fast forward function which is very irritating to use.. I'm sure this is down to pressure from operators rather than any technical reasons.
You pay a fixed amount of tax irrespective of how often you want to speak in a public space or what you want to say...
This is no different from unlimited use internet, where you pay the same amount and can use it as much as you like.
In either case the only restrictions are natural ones, eg the amount of time and physical space for speaking in public, and the amount of physical bandwidth available on an internet connection.
If someone is not using a public space for something, then that space is wasted and the wasted time can never be reused... Similarly with bandwidth, whenever a connection runs at less than 100% capacity, that capacity is wasted. It's not like fuel where unused fuel can be saved for later.
Simple, they would only provide the inferior plans in areas where they didn't face competition...
The large providers would then use the extra profits made in these monopoly areas to undercut the competition in those areas where competition exists, until those competitors fold.
Try comparing the price and service levels in different areas, and then see what other options are available in those areas...
Exactly, more efficient/fair usage is to let the network itself take care of things... If peak time usage is slow, people will be encouraged to do heavier things off peak instead...
One of the biggest problems here btw is streaming... I can download a torrent overnight and watch it in the morning no problem, but most of the official sites will only let you stream, which means you are forced to consume bandwidth at the time you want to watch.
Another is the ridiculous insistence on specific working hours, many people could do their job equally well at any time of the day, not just 9-5, and then internet, transport and various other things would have far more spread out and manageable load instead of daily massive peaks.
If you can reach a host over the network, windows will happily disclose its hostname via several of its default protocols (netbios/nbname, rpc, rdp etc), no need to find physical labels.
Also on older versions of windows, the SID could be dumped out remotely by default too.
Because only the large incumbents are able to jump through all the hoops required to do the government contracts...
And all the large incumbents are equally incompetent, so its not as if they can use someone better.
Even worse considering that the primary purposes such tokens are used for, is to mitigate against the damage which can be caused if a password is leaked... And one of the most common ways for passwords to leak, is via keyloggers which require privileged access to a compromised host anyway.
So if you have the capability to run a keylogger, you have the capability to copy the software token. You only gain any benefit from the system, if you run the soft token on a physically separate device and even then its easy to screw it up (eg run it on a phone, connect that phone to the compromised workstation via usb).
RSA keeps a copy of all the seeds, in a database linked to the serial numbers of the tokens...
RSA suffered a security breach during which that database was leaked...
If you can acquire that database, then having the serial number is game over.
Protecting the algorithm is pointless, it could always be reverse engineered from the server implementation which has been available for years. A program called 'cain' has had an implementation of this algorithm for quite some time.
The strength of the system is protecting the seed values, and this is dependent not only on the customer to not leak their seeds, but also on rsa to not leak everyone's seeds.
The algorithm has long ago been reverse engineered, i believe a program called "cain" has been able to generate token values for quite some time when given the initial seed value.
The big flaw in this system however, is that the seed values are provided by rsa and not generated locally by the customer, so if rsa gets hacked (as they did), or employs someone who can be bribed etc, the seeds leak and the whole system is compromised.
You as a customer are dependent on rsa, but you have no control over them, this is a big risk.
I would only consider using a token scheme where:
a, the algorithm is published and has been reviewed by competent third parties.
b, anything private like seeds of privkeys is generated by the end user, not beholden to a third party.
Pirated proprietary software *is* free...
The way the end users see it, is they have a choice between an open source product they have never heard of or which they believe to be inferior, which costs nothing, and a big name proprietary product they have heard of which also costs nothing. Because they can get the big name product for free, they never even bother investigating the open source one at all.
If they were forced to pay for proprietary software instead of pirating it, then users would be far more likely to consider cheaper alternatives and do some research.
It's likely that many of these companies would actually make a much bigger loss if there was no piracy...
Piracy is about the biggest factor keeping use of free software down, those who can't afford the well known proprietary brands simply pirate it and that keeps the marketshare up and ensures that free alternatives remain niche.
If you eliminated piracy entirely, then based on a very conservative estimate of 27% using pirate software (im sure more do, and simply didn't admit it), and half of those moving to at least some free alternatives because they cant afford (or refuse) to pay for all the software they use... You would see a 10% marketshare for free software.
At the moment desktop linux is a small enough niche that hardware manufacturers and oems generally ignore it, 10% would be high enough that it wouldn't be ignored, and you'd end up with a cascade reaction.
People are generally frugal, and will not waste money frivolously unless they have plenty of it... If you have two products which do the same thing, one is free and one costs even a relatively small amount, the one that costs has to be both significantly better and still easily affordable. People compromise quality for price all the time...
And of course, a quality tradeoff isn't always the case, a lot of free software is superior to commercial alternatives and even that which isn't would rapidly improve once it attracts more attention.
So i wish the BSA all the success in the world!
Because Apple are usually smart enough to realise that serial numbers and drm schemes only cause inconvenience to paying customers...
I have seen countless paying customers inconvenienced because they lost their serial or had problems with a drm scheme.
I know plenty of pirates, and none of them have such problems because they downloaded fixed versions.