Sounds screwy, but it's true. If you optimize a network for one type of application, you de-optimize it for others. For example, if you let the network give priority to voice or video data on the grounds that they need to arrive faster, you are telling other applications that they will have to wait. And as soon as you do that, you have turned the Net from something simple for everybody into something complicated for just one purpose. It isn't the Internet anymore.
Now go back and read the paragraph again replacing "the internet" --> "slashdot", "video data" --> "subscibers", "applications" --> "readers". I hope that made you chuckle;^)
Given that on more than one occasion "independent institutions" which conducted similar studies (and concluded that closed source is superior) were revealed to have been sponsored by the other side, how do you convince other people of your neutrality?
Since you are selling a service, not a product, I would guess that
the confidence of your customers in your independence is pretty important from a business perspective. How do you win and keep that confidence? The article notes that you agree with ESR's pro open-source reasoning. Wouldn't the perception of your having a OSS bias be something you'd want to avoid?
What do you mean by "defect rate"? Is it a measure of bugs your group found for the first time or were you looking at already discovered and documented bugs? In either case how do you ensure that you have enumerated all the defects in the code?
It is natural to expect the number of bugs to go down when more people look at the source. However the downside to being open source from the security viewpoint is that possibly makes it easier for the bad guys to find bugs. Have you measured the effect of this? Is it actually easier for crackers to find bugs when they have access to the code? If so, do you think the smaller frequency of bugs adequately compensates for their increased exploitability?
The parallelizability of bug-fixing is quite clearly very effective for high-visibility projects such as the linux kernel and apache. However, considering that most open-source projects have only between 1 and 5 developers, how popular do you think a project needs to be for it to significantly benefit from people looking at the source code?
A novice was trying to fix a broken Lisp machine by turning the power
off and on.
Knight, seeing what the student was doing, spoke sternly: "You cannot
fix a machine by just power-cycling it with no understanding of what
is going wrong."
Knight turned the machine off and on.
The machine worked.
In the same way, the pancake will land back in the pan as long as you understand the formula.
[[Mods, mods: this is supposed to be _funny_. Its not the first time I've posted something hilarious and it got modded "Insightful"]].
Although parent post sounds trollish, it has a valid point. Filtering incoming mail by the ISP is a bad idea, atleast much worse than filtering outgoing ones.
It doesn't help the wasted bandwidth problem.
Since the users don't know what mail they were going to get, there is much less accountability. OTOH, if my ISP blocked the (legitimate) mail I sent, then I can complain to them.
The ISP can be forced to implement arbitrary filters like "pro-terrorist", "anti-US", etc by the government and no one would be the wiser.
So this is a first step, but not the Right Thing. I hope ISPs start coming under more pressure to filter their outgoing mail.
The first edition is available online. Of the second edition, a couple of chapters are available (in pdf, one in html). It does not say if the remaining chapters will become available. Anyone has information on this?
It can be a HUGE cost-saver. Schools have shown time and again that students can be very quick to adapt to new environments/OSes. I hope some advocacy group takes up the cause to get schools to consider this option.
Andy Tanenbaum's "Computer Networks" book talks about how this could go wrong.
They tried it in a conference. They wanted to telecast conference proceedings in a building some distance away using this method. They set up this equipment, tested everything the night before the opening day, works perfectly.
First day of conference. No signal. The receiver didn't see the transmitter at all. Total flop.
So they checked it thoroughly again that night. Everything was still working fine.
Next morning: same story. No signal.
This repeated on all 3 days of the conference.
Organizers were left scratching their heads. Funny part is, it worked at night and failed at day without their touching anything. Sabotage? The devil??
Later they found it was because the light beam was getting bent in daytime due the temperature gradient (same way that mirages occur). Poof.
Of course, these are just problems that will inevitably occur when a technology is in its nascent phase, I'm sure it'll get ironed out as it goes commercial.
The article talks about rain and fog, but is silent on the sunlight issue.
This is the reason MS call their thing the recycle bin. They first called it trash, but Apple cried bloody murder over it and threatened to sue.
But don't think they're going to take this lying down. They'll patent their recycle bin icon and call it "environmentally friendly waste disposal system icon" or whatever. (Get it? recycling)
I don't mean to disparage AOP or anything, but getting it right in practice is often a far cry from applying methodologies. I've sat through a software engg course, and its irrelevance to writing good software is striking.
Go read The art of UNIX programming (online) NOW!. The author is ESR. Its an amazingly useful book. It cuts out all the hype and gives you a higher-level philosphical insight into effective programming.
Quote from the book:
Assemblers, compilers, flowcharting, procedural programming, structured programming, "artificial intelligence", fourth-generation languages, object orientation, and software-development methodologies without number have been touted and sold as a cure for this problem. All have failed, if only because they 'succeeded' by escalating the normal level of program complexity to the point where (once again) human brains could barely cope. As Fred Brooks famously observed [Brooks], there is no silver bullet.
That's truer than you think. For instance, take this "Code complete" book by some Microsoft guy. I went through the horror of being forced to read some chapters of it in college. It recommends monstrosities like "Hungarian encoding": the name of each variable should reflect 1) its data type 2) what type of variable it is ("counter", "array index", etc) 3) what its supposed to do 4) what you were thinking when you named it, and other things too numerous to list.
This is from/usr/src/linux/Documentation/CodingStyle
Encoding the type of a function into the name (so-called Hungarian
notation) is brain damaged - the compiler knows the types anyway and can
check those, and it only confuses the programmer. No wonder MicroSoft
makes buggy programs.
The article reads like a showcase of the OS security model. Basically Sendmail Inc. made available a patch before news of the vulnerability leaked and exploits could be created. Classic case of the good guys spotting the bug before the bad ones.
Quote:
"Working with the private sector, we alerted key owners of the vulnerable software and got them talking," said David Wray, spokesman for the IAIP Directorate. "We think this is a great example of how this should, and does, work."
The Department of Homeland Security got high marks from the security community for giving companies the necessary time to create the patch and for synchronizing its release.
"This is the model for what you do if you want to find a vulnerability," said Alan Paller, director of research for the SysAdmin, Audit, Network and Security (SANS) Institute
Slashdot Mirror
-
Making jokes about dupes on slashdot (bonus point if you can include a reference to the Mysterious Future)
-
Pretending you misread "World of Ends" as "World Ends" (bonus point for linking it with Bush/RIAA/Microsoft/{insert favorite evil agency here})
-
Posting the highly moderated comments in the previous story as your own here
Thank you.The article answers your question:
Given that on more than one occasion "independent institutions" which conducted similar studies (and concluded that closed source is superior) were revealed to have been sponsored by the other side, how do you convince other people of your neutrality? Since you are selling a service, not a product, I would guess that the confidence of your customers in your independence is pretty important from a business perspective. How do you win and keep that confidence? The article notes that you agree with ESR's pro open-source reasoning. Wouldn't the perception of your having a OSS bias be something you'd want to avoid?
What do you mean by "defect rate"? Is it a measure of bugs your group found for the first time or were you looking at already discovered and documented bugs? In either case how do you ensure that you have enumerated all the defects in the code?
It is natural to expect the number of bugs to go down when more people look at the source. However the downside to being open source from the security viewpoint is that possibly makes it easier for the bad guys to find bugs. Have you measured the effect of this? Is it actually easier for crackers to find bugs when they have access to the code? If so, do you think the smaller frequency of bugs adequately compensates for their increased exploitability?
The parallelizability of bug-fixing is quite clearly very effective for high-visibility projects such as the linux kernel and apache. However, considering that most open-source projects have only between 1 and 5 developers, how popular do you think a project needs to be for it to significantly benefit from people looking at the source code?
Could it really be that /.ers are going and reading the article???
If so, today, 6th March 2003 will be remembered as a special day in the history of slashdot ;^)
http://catb.org/esr/jargon/html/Some-AI-Koans.html :
In the same way, the pancake will land back in the pan as long as you understand the formula.[[Mods, mods: this is supposed to be _funny_. Its not the first time I've posted something hilarious and it got modded "Insightful"]].
There is a serious game (with tournaments and all) which is somewhat similar to this. It's called tiddlywinks
-
It doesn't help the wasted bandwidth problem.
-
Since the users don't know what mail they were going to get, there is much less accountability. OTOH, if my ISP blocked the (legitimate) mail I sent, then I can complain to them.
-
The ISP can be forced to implement arbitrary filters like "pro-terrorist", "anti-US", etc by the government and no one would be the wiser.
So this is a first step, but not the Right Thing. I hope ISPs start coming under more pressure to filter their outgoing mail.The gnome people take the chattering of a million random monkeys seriously? God save them ;^)
The first edition is available online. Of the second edition, a couple of chapters are available (in pdf, one in html). It does not say if the remaining chapters will become available. Anyone has information on this?
But you can get thin client machines with COTS systems! Check out the linux terminal server project
You can use it with laptops.
It can be a HUGE cost-saver. Schools have shown time and again that students can be very quick to adapt to new environments/OSes. I hope some advocacy group takes up the cause to get schools to consider this option.
They tried it in a conference. They wanted to telecast conference proceedings in a building some distance away using this method. They set up this equipment, tested everything the night before the opening day, works perfectly.
First day of conference. No signal. The receiver didn't see the transmitter at all. Total flop.
So they checked it thoroughly again that night. Everything was still working fine.
Next morning: same story. No signal.
This repeated on all 3 days of the conference.
Organizers were left scratching their heads. Funny part is, it worked at night and failed at day without their touching anything. Sabotage? The devil??
Later they found it was because the light beam was getting bent in daytime due the temperature gradient (same way that mirages occur). Poof.
Of course, these are just problems that will inevitably occur when a technology is in its nascent phase, I'm sure it'll get ironed out as it goes commercial.
The article talks about rain and fog, but is silent on the sunlight issue.
We have a firm commitment to NATO, we are a part of NATO. We have a firm commitment to Europe. We are a part of Europe.
--Dan Quayle
I can understand their wanting to protect their company's image, but the image of their trash can? Don't you think that's going a bit too far?
But don't think they're going to take this lying down. They'll patent their recycle bin icon and call it "environmentally friendly waste disposal system icon" or whatever. (Get it? recycling)
If not I'm making one right now!!!
Check my .sig soon to know when its available for download.
If these guys are actually interested in selling music to people, not just pissing them off, then they need to soften their tone just a little bit.
Go read The art of UNIX programming (online) NOW!. The author is ESR. Its an amazingly useful book. It cuts out all the hype and gives you a higher-level philosphical insight into effective programming.
Quote from the book:
Assemblers, compilers, flowcharting, procedural programming, structured programming, "artificial intelligence", fourth-generation languages, object orientation, and software-development methodologies without number have been touted and sold as a cure for this problem. All have failed, if only because they 'succeeded' by escalating the normal level of program complexity to the point where (once again) human brains could barely cope. As Fred Brooks famously observed [Brooks], there is no silver bullet.
This is from /usr/src/linux/Documentation/CodingStyle
Encoding the type of a function into the name (so-called Hungarian notation) is brain damaged - the compiler knows the types anyway and can check those, and it only confuses the programmer. No wonder MicroSoft makes buggy programs.
Yup. Nothing can save it from slashdot.
You mean one realized that the article does mention it? No surprise there, no one RTFAs on /.
Wha... that was supposed to have been "although"?
Oh.
Quote:
"Working with the private sector, we alerted key owners of the vulnerable software and got them talking," said David Wray, spokesman for the IAIP Directorate. "We think this is a great example of how this should, and does, work."
The Department of Homeland Security got high marks from the security community for giving companies the necessary time to create the patch and for synchronizing its release.
"This is the model for what you do if you want to find a vulnerability," said Alan Paller, director of research for the SysAdmin, Audit, Network and Security (SANS) Institute