These are some strange findings... I prefer email precisely because i can respond at my leisure, as opposed to a phonecall where you really are on the spot and forced to reply immediately. I will often take my time responding to email, thinking of what to write and the best way to get my point across. On the phone you dont have such time to think, thats why a lot of aggressive people (headhunters, salesmen) prefer to call you. Also, why bother checking email repeatedly, does your mail client not notify you in some way when you have new mail?
Firstly, i doubt that many linux users actually bother recompiling the kernel, all of the deployments i've seen use the kernel shipped with whatever distro they run. Recompiling the kernel is the domain of hobbyists, that said at least you have the choice.
Those security bulletins are pure FUD in this context... The microsoft ones list things that *only* run on windows, whereas most of the linux/unix advisories count a large amount of cross platform software (which can usually also be run on windows). They also count updates to advisories seperately... The linux/unix category includes not only linux, but also all the bsd's, macos, solaris, aix, hp-ux and a lot more... the windows category only includes windows. Microsoft don't release advisories for vulnerabilities found internally, only vulnerabilities found by external testers.. Internally found issues are usually fixed silently, whereas with open source the process is usually far more open.
Plus your counting a lot of third party applications for all platforms, you should evaluate the platform and the applications you intend to use seperately... I could write a stack of intentionally vulnerable windows-only applications myself, release them and then release a ton of advisories for them. That would tilt the stats unfairly, since very few people would be running my intentionally-vulnerable applications.
The fairest (tho ultimately not perfect) way to do it, is to configure systems for a set purpose, with the same or equivalent applications, and then count the number of applicable advisories (applicable to your configuration, assuming unnecessary applications have been removed and only what you actually need is installed).
That said, i would like to see comparisons between specific systems configured for a specific purpose... Most security criteria typically specify a specific "approved" configuration. Systems approved for various government uses etc, typically have an "approved" configuration, and often a list of caveats.
I would imagine that digital cameras use custom chips designed for the task, rather than general purpose processors... I imagine a chip designed specifically for JPEG2000 compression would use far less power than a general purpose CPU for the same task.
I never said it does crash, i said "if you manage to crash"... Why don't you read the parent post that i was actually replying to, who claims that macs are stable because of a lack of (userland) software.
If userland software can cause an OS to crash, then the OS is flawed. Driver level software that loads into the kernel can cause the OS to crash, that's expected. As for lack of software, there is a good selection of mac specific software, most unix software can be recompiled for macos and you can run instances of windows and other os's with their assorted apps under vmware or parallels, and if you manage to crash your virtual windows it won't take your host macos down.
Why? Will these pissed off customers stop buying microsoft products and move to a competitor? No? Then why bother trying to keep them happy? Dissatisfied customers will keep coming back, and so long as that happens there is no incentive to help them.
Exactly... The PC platform sucked, but it wasn't microsoft that made it... It was the fact that the platform was open, and available from multiple vendors, as opposed to Apple, Atari, Amiga and various others with vastly superior but proprietary platforms. Microsoft were simply swept along because they were willing to sell their OS, as crappy as it was, to anyone. Thus it was easier just to buy it than make a clone.
Sun has sued people who created a non standard implementation and then called it "Java". They have a trade mark on the name, and they only want compliant implementations to use it... Read the slashdot story a couple of days ago.
Sure they could, you just had to reduce the quality somewhat... Most sound on the Amiga was 8 bit 22050hz or thereabouts, and it sounded perfectly good... People were also quite good at creating tracker modules of copyrighted music, because music has a lot of repetitive sequences they only need to be stored once in a tracker module. Also, as you decreased the sample rate the size decreased... While a CD quality track (16bit, 44100hz) requires about 170kb/sec, reducing it to 8 bit lowers it to 85, and downing to 22050hz decreases it to 43... You could then compress this with mpeg audio (not sure if it was mp3, or it's predecessor) to reduce the size even more. You could end up with a full song at a size of 1-2mb, which takes about 20-25 minutes to download on a 14.4kbps modem, sure the quality could be poor but a lot of music was sourced from audio cassettes anyway, on which the quality was already poor. Remember that a 5mb mp3 only takes around 20 minutes to download on a 33.6 modem anyway. If your computer wasnt fast enough to play it, you could decompress it to an uncompressed file and then play that, even the oldest slowest hard drives could sustain 43kb/sec transfer rates with ease and you could play out of your soundcard into a cassette deck so you didnt need to keep a 10mb file sitting around. People used to do all of this in the early 90s...
Most programmers are paid by the hour/day for the act of writing those bits... There are very few who write once, and then sit back and do nothing as multiple copies are sold.
A lot of musicians could probably afford to produce CDs and sell them at cost-price, and write off the initial costs as marketting, while making a very small profit on each cd sold. If an artist has lots of radio airtime and cheap CDs on the shelves, people are far more likely to buy other merchandise or attend live shows.
DRM actually makes the music less valuable than it would have been without... At the end of the day, profit margins on CDs are so high that it is highly unlikely piracy rates would become high enough to make them unprofitable. Plus, musicians produce things that can't be pirated like live shows.
Great idea, remove competition from the videocard market so that buyers only have one choice for high performance video cards. Then watch as prices rise, and the pace of improvement slows massively.
The idea of such products running on unix machines, is to protect malicious files from reaching windows clients...
Aside from that, antivirus is an industry that shouldnt exist. People shouldnt be running as privileged users, to minimise the scope of damage from malware, and any vulnerabilities allowing malware to gain higher privileges should be fixed quickly, giving any virus a very short shelf life and limited scope to cause havoc. If your not running as a privileged user, there are very few ways you can ensure your malware will be automatically started after a reboot.
Amiga Power magazine used to write honest reviews about some games, but this resulted in game producers often not sending their games to amiga power for review, preferring to get them reviewed more favourably by other magazines instead. I would regularly see terrible games given ratings of 2%-8% in amiga power, when those same games never got less than 70% in other magazines... The only games with really poor reviews in those games, were small shareware/freeware games where the author didn't have enough resources to bribe the reviewer.
And a lot of this is down to the lack or adobe apps being available for linux. If adobe had ported their apps several years ago, than microsoft's position within this market would be much weaker making it a lot harder for them to force adobe out in the way they're now trying.
It is many of these companies that, through the release of countless windows programs, many exclusively for windows, that have helped microsoft get to where they are today. Did they really believe that microsoft wouldn't move in on their territory sooner or later?
CIS is not a security test, it is a "compliance" test... It tests if you have configured your system in a way that complies with their recommendations, which is very possible to do. I could take a redhat install, and follow every recommendation in their guide and achieve a 100 score. But would i want to? NO, and reading the documentation you'l come to realise why, here's a few examples:
The test looks for an ftpusers file listing users who arent allowed to FTP. Do you really need FTP? According to CIS you should run it but disallow most users from using it, is it not more secure to not run ftp at all?
Similarly when it talks about disabling X11 listening on port 6000, it checks for the X configuration files, and fails the test when it doesnt find them. But those files wont exist if you dont have X11 installed. And guess what, if you dont have X11 installed then it CANT be listening on 6000. But according to CIS you fail, because you dont have the configuration file it wants (an X11 configuration file would be ignored when you dont have X11 installed)
So how exactly is this test relevant? I replied to one of your other posts with far more detail about this test too. I'm eager to hear how you think a semi restricted FTP server is more secure than not having one at all.
"one size never fits all) then your screwed unless you replace quartz with X11"
But then:
> That makes no sense. You might as well be running Linux if you don't like the default WM? What about application support? You know, all those nice Mac applications people like and need to use.
How do you run those mac applications after you have replaced quartz with X11?
Filesystem and registry ACLs do not equal the capabilities offered by selinux, not even close. Linux also has filesystem ACLs, and stores it's configuration in files thus negating the need for special registry ACLs. ACLs are often not used because the regular unix permissions suffice for the vast majority of cases, where ACLs (and also selinux) simply introduce additional complexity.
My coment about 64bit hardware did not specifically address desktops, although you seem to have assumed it does. Also, the increasing size of modern applications may soon make 64bit desktops a necessity anyway.
As for 99.999% uptime, yes achieving that on windows is something to shout about, because it's unusual. Many organizations run databases on unix systems, including linux, where stability is taken for granted rather than something rare that gets celebrated. Most of the big companies i've worked with have been running their critical stuff on Solaris with Oracle for many years, sun don't go shouting about how reliable it is because in the high end server market, reliability is normal and expected.
Yes, windows nt was ported to other architectures, nt4 ran natively on all those architectures you mentioned, whereas 3.x had seperate versions, microsoft even used to produce mips hardware themselves for running it. But at that time nt was irrelevant, windows applications ran on dos or win16 with very few nt-specific applications, and those that did exist were typically only compiled for x86. infact, a lot of the microsoft apps were never ported to non x86 systems either. the only non x86 version of nt that made any profit (and thus a 2000 port was underway, that got cancelled at a late stage) was the alpha version, which provided x86 emulation.
I googled for headless windows, and found people talking about configuring a system using keyboard/mouse, and then detaching the keyboard/mouse... the gui is still running wasting resources, and the only management possible is that provided by the os over the network (rdp, vnc etc), what if the os crashes? there's no serial console, and the initial install still requires keyboard/mouse in any case. by contrast, the sparc or alpha based servers i manage are hooked up to serial console, when i install them i put the bare hardware complete with blank drives into the datacenter, connect serial/network/power and go back to the comfort of my office. i can then attach to the serial console, and perform a network based install of the os from there, and once installed completely manage the os.
You can make cmd.exe the default shell, it loads a command prompt instance inside of a gui (similarly if you select command prompt only at bootup), this would be analagous to loading X11, a window manager and then loading xterm, completely ridiculous and wastefull. what happened to the old full screen text-mode command prompt that nt 3.x and dos had? and you also have yet to address the serial console, how do i manage windows from a serial console? i wouldnt consider running any unix or vms system without a serial console.
My first attempt running the cis tool revealed that it tried to load a gui installer, which is already a bad sign - a secure server should never have anything installed it does not need, none of my servers need a gui. The linux versions are also aimed at suse and redhat, i don't run either of those systems so the benchmark would not be truly applicable anyway. Skimming quickly through the PDF from cisecurity, some of the tests involve things like "ftpusers" - a list of users not allowed to ftp, and tests for the presence of such a file. I dont run an ftp server, so this file is irrelevant, no users are allowed to ftp by virtue of there being no server but the scoring tool doesn't take that into account. They also talk about tcp wrappers, what is the point? iptables achieves the same desired effect (unauthorised hosts cannot connect) without the risks (tcp wrappers requires spawning a process for each connection, this consumes resources, and causes a
Very true, statistically not many people are killed by terrorists at all. The problem is the media coverage, it causes mass hysteria when terrorists manage to kill 2 people, but if a car carrying 2 people crashes and they both die it probably won't get reported at all. Even 50 people dying in a single terrorist attack, is less than the number of people who could die in a single bus train or plane crash.
Absoloutely, well said. These people have to ask themselves *WHY* they want to emigrate to the UK or US, is it because these countries are better off and the standard of living is higher? And do these things have nothing to do with the culture? If you want to enforce your culture on these countries, then they will end up in the same state as the country you moved from, so you've just shot yourself in the foot.
You have no right to enforce your culture on someone else's country. They didnt kidnap you and force you to live in their country, you went there of your own free will knowing in advance how things are done there. The governments in the US and UK already waste far too much money translating various different languages, when immigrants knew they were coming to an english speaking country and yet were simply too lazy and arrogant to learn the language.
If you want to live in an islamic country, there are plenty around. If you don't like them or they don't like you, then there's probably a reason for that. Doesn't give you the right to try and change someone else's country, try and change your own instead.
Proven?
The only thing proven about DRM, is that all of them have been broken one way or another.
These are some strange findings...
I prefer email precisely because i can respond at my leisure, as opposed to a phonecall where you really are on the spot and forced to reply immediately. I will often take my time responding to email, thinking of what to write and the best way to get my point across. On the phone you dont have such time to think, thats why a lot of aggressive people (headhunters, salesmen) prefer to call you.
Also, why bother checking email repeatedly, does your mail client not notify you in some way when you have new mail?
Firstly, i doubt that many linux users actually bother recompiling the kernel, all of the deployments i've seen use the kernel shipped with whatever distro they run. Recompiling the kernel is the domain of hobbyists, that said at least you have the choice.
Those security bulletins are pure FUD in this context...
The microsoft ones list things that *only* run on windows, whereas most of the linux/unix advisories count a large amount of cross platform software (which can usually also be run on windows).
They also count updates to advisories seperately...
The linux/unix category includes not only linux, but also all the bsd's, macos, solaris, aix, hp-ux and a lot more... the windows category only includes windows.
Microsoft don't release advisories for vulnerabilities found internally, only vulnerabilities found by external testers.. Internally found issues are usually fixed silently, whereas with open source the process is usually far more open.
Plus your counting a lot of third party applications for all platforms, you should evaluate the platform and the applications you intend to use seperately...
I could write a stack of intentionally vulnerable windows-only applications myself, release them and then release a ton of advisories for them. That would tilt the stats unfairly, since very few people would be running my intentionally-vulnerable applications.
The fairest (tho ultimately not perfect) way to do it, is to configure systems for a set purpose, with the same or equivalent applications, and then count the number of applicable advisories (applicable to your configuration, assuming unnecessary applications have been removed and only what you actually need is installed).
That said, i would like to see comparisons between specific systems configured for a specific purpose...
Most security criteria typically specify a specific "approved" configuration. Systems approved for various government uses etc, typically have an "approved" configuration, and often a list of caveats.
I would imagine that digital cameras use custom chips designed for the task, rather than general purpose processors...
I imagine a chip designed specifically for JPEG2000 compression would use far less power than a general purpose CPU for the same task.
I never said it does crash, i said "if you manage to crash"...
Why don't you read the parent post that i was actually replying to, who claims that macs are stable because of a lack of (userland) software.
If userland software can cause an OS to crash, then the OS is flawed.
Driver level software that loads into the kernel can cause the OS to crash, that's expected.
As for lack of software, there is a good selection of mac specific software, most unix software can be recompiled for macos and you can run instances of windows and other os's with their assorted apps under vmware or parallels, and if you manage to crash your virtual windows it won't take your host macos down.
Why?
Will these pissed off customers stop buying microsoft products and move to a competitor?
No? Then why bother trying to keep them happy?
Dissatisfied customers will keep coming back, and so long as that happens there is no incentive to help them.
Exactly...
The PC platform sucked, but it wasn't microsoft that made it...
It was the fact that the platform was open, and available from multiple vendors, as opposed to Apple, Atari, Amiga and various others with vastly superior but proprietary platforms. Microsoft were simply swept along because they were willing to sell their OS, as crappy as it was, to anyone. Thus it was easier just to buy it than make a clone.
Sun has sued people who created a non standard implementation and then called it "Java". They have a trade mark on the name, and they only want compliant implementations to use it...
Read the slashdot story a couple of days ago.
Sure they could, you just had to reduce the quality somewhat...
Most sound on the Amiga was 8 bit 22050hz or thereabouts, and it sounded perfectly good... People were also quite good at creating tracker modules of copyrighted music, because music has a lot of repetitive sequences they only need to be stored once in a tracker module.
Also, as you decreased the sample rate the size decreased...
While a CD quality track (16bit, 44100hz) requires about 170kb/sec, reducing it to 8 bit lowers it to 85, and downing to 22050hz decreases it to 43...
You could then compress this with mpeg audio (not sure if it was mp3, or it's predecessor) to reduce the size even more. You could end up with a full song at a size of 1-2mb, which takes about 20-25 minutes to download on a 14.4kbps modem, sure the quality could be poor but a lot of music was sourced from audio cassettes anyway, on which the quality was already poor.
Remember that a 5mb mp3 only takes around 20 minutes to download on a 33.6 modem anyway.
If your computer wasnt fast enough to play it, you could decompress it to an uncompressed file and then play that, even the oldest slowest hard drives could sustain 43kb/sec transfer rates with ease and you could play out of your soundcard into a cassette deck so you didnt need to keep a 10mb file sitting around.
People used to do all of this in the early 90s...
Most programmers are paid by the hour/day for the act of writing those bits...
There are very few who write once, and then sit back and do nothing as multiple copies are sold.
A lot of musicians could probably afford to produce CDs and sell them at cost-price, and write off the initial costs as marketting, while making a very small profit on each cd sold.
If an artist has lots of radio airtime and cheap CDs on the shelves, people are far more likely to buy other merchandise or attend live shows.
DRM actually makes the music less valuable than it would have been without...
At the end of the day, profit margins on CDs are so high that it is highly unlikely piracy rates would become high enough to make them unprofitable.
Plus, musicians produce things that can't be pirated like live shows.
Great idea, remove competition from the videocard market so that buyers only have one choice for high performance video cards.
Then watch as prices rise, and the pace of improvement slows massively.
The idea of such products running on unix machines, is to protect malicious files from reaching windows clients...
Aside from that, antivirus is an industry that shouldnt exist. People shouldnt be running as privileged users, to minimise the scope of damage from malware, and any vulnerabilities allowing malware to gain higher privileges should be fixed quickly, giving any virus a very short shelf life and limited scope to cause havoc.
If your not running as a privileged user, there are very few ways you can ensure your malware will be automatically started after a reboot.
Amiga Power magazine used to write honest reviews about some games, but this resulted in game producers often not sending their games to amiga power for review, preferring to get them reviewed more favourably by other magazines instead.
I would regularly see terrible games given ratings of 2%-8% in amiga power, when those same games never got less than 70% in other magazines... The only games with really poor reviews in those games, were small shareware/freeware games where the author didn't have enough resources to bribe the reviewer.
And a lot of this is down to the lack or adobe apps being available for linux.
If adobe had ported their apps several years ago, than microsoft's position within this market would be much weaker making it a lot harder for them to force adobe out in the way they're now trying.
It is many of these companies that, through the release of countless windows programs, many exclusively for windows, that have helped microsoft get to where they are today.
Did they really believe that microsoft wouldn't move in on their territory sooner or later?
CIS is not a security test, it is a "compliance" test...
It tests if you have configured your system in a way that complies with their recommendations, which is very possible to do. I could take a redhat install, and follow every recommendation in their guide and achieve a 100 score.
But would i want to? NO, and reading the documentation you'l come to realise why, here's a few examples:
The test looks for an ftpusers file listing users who arent allowed to FTP. Do you really need FTP? According to CIS you should run it but disallow most users from using it, is it not more secure to not run ftp at all?
Similarly when it talks about disabling X11 listening on port 6000, it checks for the X configuration files, and fails the test when it doesnt find them. But those files wont exist if you dont have X11 installed. And guess what, if you dont have X11 installed then it CANT be listening on 6000. But according to CIS you fail, because you dont have the configuration file it wants (an X11 configuration file would be ignored when you dont have X11 installed)
So how exactly is this test relevant? I replied to one of your other posts with far more detail about this test too. I'm eager to hear how you think a semi restricted FTP server is more secure than not having one at all.
Granted on the first one, then make it:
"one size never fits all) then your screwed unless you replace quartz with X11"
But then:
> That makes no sense. You might as well be running Linux if you don't like the default WM? What about application support? You know, all those nice Mac applications people like and need to use.
How do you run those mac applications after you have replaced quartz with X11?
Filesystem and registry ACLs do not equal the capabilities offered by selinux, not even close.
Linux also has filesystem ACLs, and stores it's configuration in files thus negating the need for special registry ACLs. ACLs are often not used because the regular unix permissions suffice for the vast majority of cases, where ACLs (and also selinux) simply introduce additional complexity.
My coment about 64bit hardware did not specifically address desktops, although you seem to have assumed it does. Also, the increasing size of modern applications may soon make 64bit desktops a necessity anyway.
As for 99.999% uptime, yes achieving that on windows is something to shout about, because it's unusual. Many organizations run databases on unix systems, including linux, where stability is taken for granted rather than something rare that gets celebrated. Most of the big companies i've worked with have been running their critical stuff on Solaris with Oracle for many years, sun don't go shouting about how reliable it is because in the high end server market, reliability is normal and expected.
Yes, windows nt was ported to other architectures, nt4 ran natively on all those architectures you mentioned, whereas 3.x had seperate versions, microsoft even used to produce mips hardware themselves for running it. But at that time nt was irrelevant, windows applications ran on dos or win16 with very few nt-specific applications, and those that did exist were typically only compiled for x86. infact, a lot of the microsoft apps were never ported to non x86 systems either. the only non x86 version of nt that made any profit (and thus a 2000 port was underway, that got cancelled at a late stage) was the alpha version, which provided x86 emulation.
I googled for headless windows, and found people talking about configuring a system using keyboard/mouse, and then detaching the keyboard/mouse... the gui is still running wasting resources, and the only management possible is that provided by the os over the network (rdp, vnc etc), what if the os crashes? there's no serial console, and the initial install still requires keyboard/mouse in any case. by contrast, the sparc or alpha based servers i manage are hooked up to serial console, when i install them i put the bare hardware complete with blank drives into the datacenter, connect serial/network/power and go back to the comfort of my office. i can then attach to the serial console, and perform a network based install of the os from there, and once installed completely manage the os.
You can make cmd.exe the default shell, it loads a command prompt instance inside of a gui (similarly if you select command prompt only at bootup), this would be analagous to loading X11, a window manager and then loading xterm, completely ridiculous and wastefull. what happened to the old full screen text-mode command prompt that nt 3.x and dos had? and you also have yet to address the serial console, how do i manage windows from a serial console? i wouldnt consider running any unix or vms system without a serial console.
My first attempt running the cis tool revealed that it tried to load a gui installer, which is already a bad sign - a secure server should never have anything installed it does not need, none of my servers need a gui.
The linux versions are also aimed at suse and redhat, i don't run either of those systems so the benchmark would not be truly applicable anyway.
Skimming quickly through the PDF from cisecurity, some of the tests involve things like "ftpusers" - a list of users not allowed to ftp, and tests for the presence of such a file. I dont run an ftp server, so this file is irrelevant, no users are allowed to ftp by virtue of there being no server but the scoring tool doesn't take that into account.
They also talk about tcp wrappers, what is the point? iptables achieves the same desired effect (unauthorised hosts cannot connect) without the risks (tcp wrappers requires spawning a process for each connection, this consumes resources, and causes a
I dont know, perhaps it runs a 64bit kernel?
Take a read of:
http://lkml.org/lkml/2006/1/19/73
That explains it better...
Very true, statistically not many people are killed by terrorists at all.
The problem is the media coverage, it causes mass hysteria when terrorists manage to kill 2 people, but if a car carrying 2 people crashes and they both die it probably won't get reported at all.
Even 50 people dying in a single terrorist attack, is less than the number of people who could die in a single bus train or plane crash.
The muslims do have their own state, infact they have quite a lot of them:
Turkey
Iran
Saudi Arabia
Malaysia
All of those countries and many more are ruled by muslims, and they all implement islamic laws to varying degrees.
Absoloutely, well said.
These people have to ask themselves *WHY* they want to emigrate to the UK or US, is it because these countries are better off and the standard of living is higher? And do these things have nothing to do with the culture?
If you want to enforce your culture on these countries, then they will end up in the same state as the country you moved from, so you've just shot yourself in the foot.
You have no right to enforce your culture on someone else's country. They didnt kidnap you and force you to live in their country, you went there of your own free will knowing in advance how things are done there.
The governments in the US and UK already waste far too much money translating various different languages, when immigrants knew they were coming to an english speaking country and yet were simply too lazy and arrogant to learn the language.
If you want to live in an islamic country, there are plenty around. If you don't like them or they don't like you, then there's probably a reason for that. Doesn't give you the right to try and change someone else's country, try and change your own instead.