well, he worded his point badly but I agree with no service is more secure than protected service. His scenario works for him but not for all of us.
I will have servers in datacenters spread around the US and possibly overseas. His solution wont work for me. So cost/benefit/risk compromises come in to play, which is where extra layers comes in.
an RSA ACE server that listens to knocked ports for a given segment of time that would match the changing value on the token, if proper sequence for that time frame is given it opens the port for the given client IP that is doing the knocking (not just open the port to the world as many people are talking about here).
This is complex, however, it is pseudo-one-time (precludes it being sniffed and replayed beyond a 60 second window), the rule would only open for the IP that is doing the knocking (no spoofing), and it would effectively be implementing two-factor authentication (the client and FOB). You could mitigate the risk of the sequence being replayed in that same minute by setting it is invalid if it worked.
Yeah, complex and resource intensive but you could reduce the risk of remote access protocol exploits.
LOL.. thats funny. But seriously, how about like this:
user double clicks on email, a dialog (save || exec) if exec, the email client creates a tempfs, chroot to tempfs, creates a VM of whatever OS without access to network or real filesystem, saves attachment to VM tempfs, virusscan, mime type detect, exec handler in VM to open file. or something like that. if save, virus scan then save to disk.
here is another one, when email is HTML, parser and viewer only renders HTML but cannot access network or compile javascript. If user really wants to exec it, save to disk and exec with normal browser.
or how about, mail client is run entirely in a VM session with no network or real filesystem access.
the point is that we could design mail user agents, browsers, and other applications to deal with an unsafe world a little better.
well, to continue using the metaphor, car companies dont sell a car and advertise that cruise control will do everything for you and free you of the difficulties of driving. they also dont hide the break peddle in the glove box. they also dont tell you that there are no rules when operating it. although I dont think a car is a good analogy. I would say VCR is a better one.
I think the parent posters point, which I agree with, is that software developers and companies should build systems with the operating environment and target audience in mind. The users are not entirely to blame given the evolution and history of computing and its associated marketing.
everyone wants to blame either the users or the virus writers but not the developers. In most cases microsoft, but not exclusively microsoft, is the problem. training users to bad habits such as double clicking on every icon they see, building software that hides an implicit expectation of knowledge in a user interface that encourages ignorance, and making a system that is unable to handle any of the consequences gracefully. Mac suffers from many of the same problems but their system can handle the consequences better than windows.
Why would you build an email client to systematically treat files as trusted and place an implicit responsibility on the user to act the opposite?
all the discussions around email and attachments has got me wondering. Do any mail clients have a VM environment in which to handle attachments?
I am thinking that Ximian could have capability to create a temprorary sandboxed wine VM to deal with attachements. I am sure someone could do the same for that legacy OS that stupid people run. Every time you double click on an attachment, or actually even open email it is doing it in a sandboxed VM or something along thos lines...
2) just becuase he, or I or many other people here could support one off situations doesn't mean that it is good to add complexity with the expectation that all companies can handle it. and I dont mean they are too dumb but that their operating resources might be too small to handle having to support multiple environments.
uuhmm.. what planet are you on. He is building a distro for gods sake not running depenguinator on your home machines or something.
I dont see you getting up in arms because Knopix or Smoothwall dont have your favorite [insert desktop theme/bell/whistle here].
I dont think the support is overwhelming and I I think Perens discussed the issues earlier surounding this debate. He is a level-headed guy and laid out good reasons why he was opting for one particular desktop.
The two key points are that 1) there is the licensing issue with Qt and 2) the desire to simplify end-user configurations that need to be supported by vendors and service providers.
The second point, in my opinion, is the more important of the two. UserLinux is just another distro for a specific purpose and shaping it to suit that purpose is effectively is Perens job.
If you want KDE on a desktop distro get suse or lindows. He is not eliminating choice just by customizing a distro for a specific purpose.
From the discussion it looks like his company is supporting it as a provider not that it is going to be in there as an install default (although if it is in there as an optional install seems unclear).
Very good point, which is partially why most Linux, BSD, and even solaris distros come with extra CDs of apps. It really does suck to have to scrounge around on the internet to find the software to do the things you bought the damn computer for in the first place.
Here is an idea. How about an application lock-box that is pre-installed that has a whole host of apps ready for use once authorization is acquired (if they are not free software). You could buy access keys via net or over the phone. Gives users choice of apps, no trips to best buy or 3 hr downloads via dial-up, lets vendors get money for product. Dell could ship the CD with systems... hmm...
for purely browser based search, you are correct, but that is not what the article suggested.
Try toolbar that searches local PC fielsystem, hotmail or outlook inbox, and/or the web and possibly news groups. That is not a low cost switching alternative.
Try installed as part of of IE, OS, outlook (and exchange) and other apps with perhaps a hidden option in a config menu that most users cant find to "hide" the searchbox (how many users still have clippy no matter how they hate it).
Again, its using pre-installed base and forced usage channels to eliminate competition.
Now in defence of perhaps the notion of muilti-target search capability, I think its a good idea. I know many people that would love to be able to search for a term they read somehwere and direct it to inbox and folders, local filesystem (and net based filesystem) and web and get results returned in categories and prioritizations. But only MS can run a caching index daemon on exchange and built into outlook and local filesystem (which would probably be neccessary) as most of those formats are proprietary. So who could feasibly compete?
That is exactly the challenge I am facing. For now, the first wave of customers for my products will be previous clients, friends in the industry, and previous employers. That will get me through the first 6 months, help prove out the software, and establish a presence but it wont be enough to pay all of the bills and salary for myself.
So come June I will have to figure out how to sell, bid on contracts, and make new connections. My plan is to try and partner with other consulting groups as resellers, to use an open commission structure to encourage other people to sell for me, and get help with marketing. Perhaps make an investment such as ad space in a magazine. I will ultimately try and find someone who is a sales/marketing type to help as I dont have the expectation that I will be able to be great at it and build the product.
Thats what I am going to do. I will let you know how it works. My target customer is business rather than consumer so my approach may not work for consumer oriented products. Although the ad space and marketing tactics would apply in either case. Also perhaps you might try some form of referal rewards program or something like that. Best advice is to treat sales and marketing like you do technology. If you aren't the guru, find someone who is and ask advice, look at other products to figure out how they did it, etc.
Yes, there is more fat that needs to be trimmed. Lease on apartment is up in 3 months. Putting stuff in storage and renting a room. Car and insurance are essential but dropping the parking spot (as I wont be driving into the office anymore anyways). No more gym, a jump rope and dumb bells at home (but excercise is important to functioning). All said and done I should be able to trim it down to about $2500/month. Which is what is going to happen in the next 3 months. I still prefer to estimate high on expenses though.
you are correct. I did not mean to say that they couldn't be but that in general they are not by default. Starting a business is a rather challenging place to learn and develop these skills, while, as you say, busting your ass to build a product and pay rent.
yeah thats exactly the challenge. Software is cheap but we work mostly to support our lives which is usually where our income goes. Income and expenses usually match eachother fairly closely. If you make $1000/month you may spend all that and more. If you make $5000/month you will liekly spend close to that much. You find yourself making cost committments based on your income. "I can afford the rent for that place I like" or "I can afford that car that I like" whatever that amount is..
Yeah the reason I had to move into a datacenter and get SSL certs was because I was selling webservices that required heavier bandwidth and better uptime than what local business class DSL could provide (which BTW is $300/mo). SSL cert was because customers enroll online and didnt want people getting the funny error message about cert being issued by SnakeOil company;-) (yes could become own CA rather than apache default but they would still get warning dialog box).
If you were building a pure software product then you wouldnt need that stuff like you are saying. Although if you wanted to sell it you may want to think about PayPall or some other online transaction broker which wouldnt cost that much.
1) server colocated in datacenter with back-up dial-in line $300/mo + $2000/server 2) SSL cert, web site marketing costs, etc. $500/yr 3) answering service, mail box, fax service $600/yr 4) cell phone & DSL at home $100/mo 5) incorporation, filings, fees, business liability insurance, registered agaent $2000/yr 6) business checking account $500/open 7) software, $0. all open source
So the company costs me an upfront ~$5000 and $400/month after that for a grand total of ~$10k for the first year.
Personal expenses: rent/mortgage, utilities, taxes, maintenance, etc. car payment, gas, insurance, parking, maintenance debt (credit cards, student loans, etc.) food, clothes, fun money, living insurance (health, dental, death, disability, etc.) (~$200/mo for individual health) savings & retirement etc.
My personal expenses after cutting out A LOT of fat are $4000/month for a grand total of $48,000 for the first year. after taxes.
One method is to build the busines and software part-time while employed elsewhere. So maybe if you are unemployed, try finding any job, even one that pays less or is not great career move and spend off time building business.
although I am not unemployed. An earlier poster touched on the key point: paying rent. And I mean my own rent. A software company doesnt need an office. Here are my business expenses:
1) server colocated in datacenter with back-up dial-in line $300/mo + $2000/server 2) SSL cert, web site marketing costs, etc. $500/yr 3) answering service, mail box, fax service $600/yr 4) cell phone & DSL at home $100/mo 5) incorporation, filings, fees, business liability insurance, registered agaent $2000/yr 6) business checking account $500/open 7) software, $0. all open source
So the company costs me an upfront ~$5000 and $400/month after that for a grand total of ~$10k for the first year.
Personal expenses: rent/mortgage, utilities, taxes, maintenance, etc. car payment, gas, insurance, parking, maintenance debt (credit cards, student loans, etc.) food, clothes, fun money, living insurance (health, dental, death, disability, etc.) (~$200/mo for individual health) savings & retirement etc.
My personal expenses after cutting out A LOT of fat are $4000/month for a grand total of $48,000 for the first year. after taxes.
I have 12 hours a day 6 days a week for 50 weeks a year, burstable to 18/7 for short stretches. When you are responsible for everything you cant burn yourself out.
So you look at your resources, your overhead, do the math and figure out if its feasible.
This is completely ignoring the fact that most engineers make for very poor salesmen, financial planners, marketers, and strategists. Which are as essential to a business as good technology or product.
yeah, the provincial mindset and the desire to create cliques and hierarchies is what becomes popular on the net as the net becomes popular with the public. interesting how the net is ushering in an age of enlightenment and broader horizons freeing the masses from their normal social constraints..
Yes, none of those movies were ideal examples and I agree that the underlying idea of the matrix was probably lost || ignored by the general viewership but, sadly, the effect was not I think. More my point was that pop culture (and arguably human kind) promotes the idea that our society is beyond the "common mans" capabilities and that there was some external party at fault.
You are correct in that it often takes a thorn in the ass to get people to act and that perhaps I am just more sensitive to it than others, thus my reaction at an earlier stage. I am not convinced, however, that we are anywhere near needing the type of revolution a lot of people imagine. I am, however, damn concerned about retaining the capability for such a thing as well as keeping us from needing such a thing. Ounce of prevention better than cure but you dont want to throw out the cure regardless. My focus is more on the prevention and I cant stand seeing people wanting to skip that and jump straight to the cure. Largely because they will be less effective in inspiring prevention.
One subtle disagreement is that people never want responsbility. Life is hard enough without being reminded of the fact that you are responsible not only for your own but for your communities as well. I dont think any institution took away responsibility or encouraged its giving it up. I think people gave it up willingly and continue to do so. I dont believe that people working in a system, as a general rule, are corrupted and become evil just by working in that system. I beleive that people are generally good and have good intentions and that the bad apples are the exception not the norm. However, your point of why my view of a solution hasnt worked in china or the many other past/present tyrannies is made. To that I only have to say that I was talking about where we in the US stand today and I was not discounting other solutions for other problem spaces.
One question I have been kicking around, regarding your incubation concept, is that perhaps free societies cant be sustained and that cycles of reform/decay/destroy/reform are actually the natural law. They are in financial markets and other ecosystems. Its a fairly depressing thought but perhaps the trick is figuring out how to minimize the cycles. Not sure exactly.
Another question I have had is in forming a new institution how would you deal with the detrimental effects that are brought on by the very success of that institution? For instance our system has been so successful that now we are less concerned with growth and freedom and more with comfort, but the very purpose of a government is to facilitate success... not sure how to address that..
Thanks for the vote of confidence on my status as a thinking human;-) Its good to talk and disagree about stuff with intelligent people.
Slashdot Mirror
well, he worded his point badly but I agree with no service is more secure than protected service. His scenario works for him but not for all of us.
I will have servers in datacenters spread around the US and possibly overseas. His solution wont work for me. So cost/benefit/risk compromises come in to play, which is where extra layers comes in.
This would make for a complex client but:
.
an RSA ACE server that listens to knocked ports for a given segment of time that would match the changing value on the token, if proper sequence for that time frame is given it opens the port for the given client IP that is doing the knocking (not just open the port to the world as many people are talking about here).
This is complex, however, it is pseudo-one-time (precludes it being sniffed and replayed beyond a 60 second window), the rule would only open for the IP that is doing the knocking (no spoofing), and it would effectively be implementing two-factor authentication (the client and FOB). You could mitigate the risk of the sequence being replayed in that same minute by setting it is invalid if it worked.
Yeah, complex and resource intensive but you could reduce the risk of remote access protocol exploits
LOL.. thats funny. But seriously, how about like this:
user double clicks on email, a dialog (save || exec) if exec, the email client creates a tempfs, chroot to tempfs, creates a VM of whatever OS without access to network or real filesystem, saves attachment to VM tempfs, virusscan, mime type detect, exec handler in VM to open file. or something like that. if save, virus scan then save to disk.
here is another one, when email is HTML, parser and viewer only renders HTML but cannot access network or compile javascript. If user really wants to exec it, save to disk and exec with normal browser.
or how about, mail client is run entirely in a VM session with no network or real filesystem access.
the point is that we could design mail user agents, browsers, and other applications to deal with an unsafe world a little better.
well, to continue using the metaphor, car companies dont sell a car and advertise that cruise control will do everything for you and free you of the difficulties of driving. they also dont hide the break peddle in the glove box. they also dont tell you that there are no rules when operating it. although I dont think a car is a good analogy. I would say VCR is a better one.
I think the parent posters point, which I agree with, is that software developers and companies should build systems with the operating environment and target audience in mind. The users are not entirely to blame given the evolution and history of computing and its associated marketing.
everyone wants to blame either the users or the virus writers but not the developers. In most cases microsoft, but not exclusively microsoft, is the problem. training users to bad habits such as double clicking on every icon they see, building software that hides an implicit expectation of knowledge in a user interface that encourages ignorance, and making a system that is unable to handle any of the consequences gracefully. Mac suffers from many of the same problems but their system can handle the consequences better than windows.
Why would you build an email client to systematically treat files as trusted and place an implicit responsibility on the user to act the opposite?
all the discussions around email and attachments has got me wondering. Do any mail clients have a VM environment in which to handle attachments?
I am thinking that Ximian could have capability to create a temprorary sandboxed wine VM to deal with attachements. I am sure someone could do the same for that legacy OS that stupid people run. Every time you double click on an attachment, or actually even open email it is doing it in a sandboxed VM or something along thos lines...
Actually, no, neither point is blown
1) see good post
2) just becuase he, or I or many other people here could support one off situations doesn't mean that it is good to add complexity with the expectation that all companies can handle it. and I dont mean they are too dumb but that their operating resources might be too small to handle having to support multiple environments.
uuhmm.. what planet are you on. He is building a distro for gods sake not running depenguinator on your home machines or something. I dont see you getting up in arms because Knopix or Smoothwall dont have your favorite [insert desktop theme/bell/whistle here].
I dont think the support is overwhelming and I I think Perens discussed the issues earlier surounding this debate. He is a level-headed guy and laid out good reasons why he was opting for one particular desktop.
The two key points are that 1) there is the licensing issue with Qt and 2) the desire to simplify end-user configurations that need to be supported by vendors and service providers.
The second point, in my opinion, is the more important of the two. UserLinux is just another distro for a specific purpose and shaping it to suit that purpose is effectively is Perens job.
If you want KDE on a desktop distro get suse or lindows. He is not eliminating choice just by customizing a distro for a specific purpose.
From the discussion it looks like his company is supporting it as a provider not that it is going to be in there as an install default (although if it is in there as an optional install seems unclear).
Very good point, which is partially why most Linux, BSD, and even solaris distros come with extra CDs of apps. It really does suck to have to scrounge around on the internet to find the software to do the things you bought the damn computer for in the first place.
Here is an idea. How about an application lock-box that is pre-installed that has a whole host of apps ready for use once authorization is acquired (if they are not free software). You could buy access keys via net or over the phone. Gives users choice of apps, no trips to best buy or 3 hr downloads via dial-up, lets vendors get money for product. Dell could ship the CD with systems... hmm...
for purely browser based search, you are correct, but that is not what the article suggested.
Try toolbar that searches local PC fielsystem, hotmail or outlook inbox, and/or the web and possibly news groups. That is not a low cost switching alternative.
Try installed as part of of IE, OS, outlook (and exchange) and other apps with perhaps a hidden option in a config menu that most users cant find to "hide" the searchbox (how many users still have clippy no matter how they hate it).
Again, its using pre-installed base and forced usage channels to eliminate competition.
Now in defence of perhaps the notion of muilti-target search capability, I think its a good idea. I know many people that would love to be able to search for a term they read somehwere and direct it to inbox and folders, local filesystem (and net based filesystem) and web and get results returned in categories and prioritizations. But only MS can run a caching index daemon on exchange and built into outlook and local filesystem (which would probably be neccessary) as most of those formats are proprietary. So who could feasibly compete?
That is exactly the challenge I am facing. For now, the first wave of customers for my products will be previous clients, friends in the industry, and previous employers. That will get me through the first 6 months, help prove out the software, and establish a presence but it wont be enough to pay all of the bills and salary for myself.
So come June I will have to figure out how to sell, bid on contracts, and make new connections. My plan is to try and partner with other consulting groups as resellers, to use an open commission structure to encourage other people to sell for me, and get help with marketing. Perhaps make an investment such as ad space in a magazine. I will ultimately try and find someone who is a sales/marketing type to help as I dont have the expectation that I will be able to be great at it and build the product.
Thats what I am going to do. I will let you know how it works. My target customer is business rather than consumer so my approach may not work for consumer oriented products. Although the ad space and marketing tactics would apply in either case. Also perhaps you might try some form of referal rewards program or something like that. Best advice is to treat sales and marketing like you do technology. If you aren't the guru, find someone who is and ask advice, look at other products to figure out how they did it, etc.
Yes, there is more fat that needs to be trimmed. Lease on apartment is up in 3 months. Putting stuff in storage and renting a room. Car and insurance are essential but dropping the parking spot (as I wont be driving into the office anymore anyways). No more gym, a jump rope and dumb bells at home (but excercise is important to functioning). All said and done I should be able to trim it down to about $2500/month. Which is what is going to happen in the next 3 months. I still prefer to estimate high on expenses though.
you are correct. I did not mean to say that they couldn't be but that in general they are not by default. Starting a business is a rather challenging place to learn and develop these skills, while, as you say, busting your ass to build a product and pay rent.
yeah thats exactly the challenge. Software is cheap but we work mostly to support our lives which is usually where our income goes. Income and expenses usually match eachother fairly closely. If you make $1000/month you may spend all that and more. If you make $5000/month you will liekly spend close to that much. You find yourself making cost committments based on your income. "I can afford the rent for that place I like" or "I can afford that car that I like" whatever that amount is..
no wife or kids, so I am obviously in a more flexible position than many others.
Chicago area cost of living is fairly high. $1200 rent plus utilities, $150/month for a parking spot etc. etc.
;-)
;-) (yes could become own CA rather than apache default but they would still get warning dialog box).
Yeah the reason I had to move into a datacenter and get SSL certs was because I was selling webservices that required heavier bandwidth and better uptime than what local business class DSL could provide (which BTW is $300/mo). SSL cert was because customers enroll online and didnt want people getting the funny error message about cert being issued by SnakeOil company
If you were building a pure software product then you wouldnt need that stuff like you are saying. Although if you wanted to sell it you may want to think about PayPall or some other online transaction broker which wouldnt cost that much.
Here are my business expenses:
1) server colocated in datacenter with back-up dial-in line $300/mo + $2000/server
2) SSL cert, web site marketing costs, etc. $500/yr
3) answering service, mail box, fax service $600/yr
4) cell phone & DSL at home $100/mo
5) incorporation, filings, fees, business liability insurance, registered agaent $2000/yr
6) business checking account $500/open
7) software, $0. all open source
So the company costs me an upfront ~$5000 and $400/month after that for a grand total of ~$10k for the first year.
Personal expenses:
rent/mortgage, utilities, taxes, maintenance, etc.
car payment, gas, insurance, parking, maintenance
debt (credit cards, student loans, etc.)
food, clothes, fun money, living
insurance (health, dental, death, disability, etc.) (~$200/mo for individual health)
savings & retirement etc.
My personal expenses after cutting out A LOT of fat are $4000/month for a grand total of $48,000 for the first year. after taxes.
I posted later on about what I am doing:
post
One method is to build the busines and software part-time while employed elsewhere. So maybe if you are unemployed, try finding any job, even one that pays less or is not great career move and spend off time building business.
Good luck!
although I am not unemployed. An earlier poster touched on the key point: paying rent. And I mean my own rent. A software company doesnt need an office. Here are my business expenses:
1) server colocated in datacenter with back-up dial-in line $300/mo + $2000/server
2) SSL cert, web site marketing costs, etc. $500/yr
3) answering service, mail box, fax service $600/yr
4) cell phone & DSL at home $100/mo
5) incorporation, filings, fees, business liability insurance, registered agaent $2000/yr
6) business checking account $500/open
7) software, $0. all open source
So the company costs me an upfront ~$5000 and $400/month after that for a grand total of ~$10k for the first year.
Personal expenses:
rent/mortgage, utilities, taxes, maintenance, etc.
car payment, gas, insurance, parking, maintenance
debt (credit cards, student loans, etc.)
food, clothes, fun money, living
insurance (health, dental, death, disability, etc.) (~$200/mo for individual health)
savings & retirement etc.
My personal expenses after cutting out A LOT of fat are $4000/month for a grand total of $48,000 for the first year. after taxes.
I have 12 hours a day 6 days a week for 50 weeks a year, burstable to 18/7 for short stretches. When you are responsible for everything you cant burn yourself out.
So you look at your resources, your overhead, do the math and figure out if its feasible.
This is completely ignoring the fact that most engineers make for very poor salesmen, financial planners, marketers, and strategists. Which are as essential to a business as good technology or product.
can you mod a comment as both interesting and funny?..
LOL!.. thats a great post.
yeah, the provincial mindset and the desire to create cliques and hierarchies is what becomes popular on the net as the net becomes popular with the public. interesting how the net is ushering in an age of enlightenment and broader horizons freeing the masses from their normal social constraints..
Yes, none of those movies were ideal examples and I agree that the underlying idea of the matrix was probably lost || ignored by the general viewership but, sadly, the effect was not I think. More my point was that pop culture (and arguably human kind) promotes the idea that our society is beyond the "common mans" capabilities and that there was some external party at fault.
;-) Its good to talk and disagree about stuff with intelligent people.
You are correct in that it often takes a thorn in the ass to get people to act and that perhaps I am just more sensitive to it than others, thus my reaction at an earlier stage. I am not convinced, however, that we are anywhere near needing the type of revolution a lot of people imagine. I am, however, damn concerned about retaining the capability for such a thing as well as keeping us from needing such a thing. Ounce of prevention better than cure but you dont want to throw out the cure regardless. My focus is more on the prevention and I cant stand seeing people wanting to skip that and jump straight to the cure. Largely because they will be less effective in inspiring prevention.
One subtle disagreement is that people never want responsbility. Life is hard enough without being reminded of the fact that you are responsible not only for your own but for your communities as well. I dont think any institution took away responsibility or encouraged its giving it up. I think people gave it up willingly and continue to do so. I dont believe that people working in a system, as a general rule, are corrupted and become evil just by working in that system. I beleive that people are generally good and have good intentions and that the bad apples are the exception not the norm. However, your point of why my view of a solution hasnt worked in china or the many other past/present tyrannies is made. To that I only have to say that I was talking about where we in the US stand today and I was not discounting other solutions for other problem spaces.
One question I have been kicking around, regarding your incubation concept, is that perhaps free societies cant be sustained and that cycles of reform/decay/destroy/reform are actually the natural law. They are in financial markets and other ecosystems. Its a fairly depressing thought but perhaps the trick is figuring out how to minimize the cycles. Not sure exactly.
Another question I have had is in forming a new institution how would you deal with the detrimental effects that are brought on by the very success of that institution? For instance our system has been so successful that now we are less concerned with growth and freedom and more with comfort, but the very purpose of a government is to facilitate success... not sure how to address that..
Thanks for the vote of confidence on my status as a thinking human