Make a corporate-friendly, highly manageable release of Firefox: an MSI installer, so it can be easily deployed via Active Directory; management via Group Policy; default settings that don't make a mess of your roaming profile.
If Round Two did this, I imagine that they could make a decent income from organizations that are tired of IE but want something easier to deploy and maintain than Firefox.
Mozilla bug #74085, comment 113 expresses these shortcomings of Firefox better than I did and provides more information on the above issues.
In my experience, FrontPage actually works quite a bit better with Apache 2.0. FrontPage for Apache 1.x requires patching your Apache or downloading pre-patched binaries from rtr.com or Microsoft. FrontPage for Apache 2 can load cleanly as a module, no server modifications needed.
If you want the offical notice of Apache 2 support, see here.
I hate the small size of the box I'm given to enter my search terms.
You can make the search bar wider by editng your userChrome.css file as described here. Of course, there's no point to manually tweaking Firefox like this if you're happy with Mozilla.
You have to create some kind of text file outside of Mozilla with Notepad or something, save it somewhere (no default location), and then go in to the preferences and browse to the location of that text file that you somehow figured out how to create. And you can only have that one text file, so only one signature unless you go through that process again. And it's either there or it isn't.
It's not quite that bad. You can write the signature within Thunderbird itself, rather than using Notepad, then save it to a text or HTML file. And you can set up multiple identities, each with their own signature, and change them on the fly while composing a new message.
I would agree that it's still a lot kludgier than it should be.
A fourth reason - free-as-in-beer, closed-source spyware removal utilities are already ripped off by unethical software companies (see here for an example), and this would discourage people from making open-source utilities that would be even easier to rip off.
Security by Obscurity, no matter who does it, it is still bad. Just because the WHOLE WORLD didn't know about it, doesn't mean some virus writer didn't; it just meant everyone continued to use un-patched Java installs in blissfull ignorance of the risk.
You're saying that vulnerability details should be announced before patches are completed? I'm afraid I disagree. There's a fair bit of evidence (see stories here and here) that black hats are using vulnerability announcements and patches to find exploits rather than finding them themselves. If that's the case, keeping vulnerabilities quiet until the software company's had a chance to patch them is a good idea, even if security through obscurity is in general a bad idea.
Could you please elaborate on problems you've had with SLOX? Our organization is getting ready to purchase some groupware, and SLOX was one of the leading options that I was considering.
SPF states that the DNS server of the sending domain says who is permitted to send mail. Unless spammers' zombie machines are DNS servers, they'll never get a chance to reply that they sent the messages or send ACK signals or anything of the sort.
Going after the spammers' clients is a good idea, but there's also value in pursuing technical solutions such as this.
Yes and if you relied on your linux machine to run a major database, we would accuse you of gross incompetence too.
I'd agree that gross incompentence is a fair accusation. (The same sort of gross incompetence that, for example, gets the DoI kicked offline three times.) I am suggesting, though, that gross incompetence (instead of a conspiracy to keep data secret) might be a sufficient explanation.
Or it might not. Maybe I'm not distrustful enough of government.
One of my Linux machines is currently suffering from some substandard SCSI equipment and some DMA problems on one of the hard drive controllers; until I can schedule the downtime for software upgrades and hardware troubleshooting, I'm leaving things the way they are. As long as that's the case, the system mostly works, but certain disk-intensive operations (such as searching hundreds of MB of logs) degrade performance enough to make the system nearly unusable.
I doubt that this is terribly relevant to the computing problems experienced by massive government databases, but I can at least conceive of how a "mass export of all stored images" (to quote the article) could significantly interfere with the database's everyday usage on a sufficiently poorly-designed/maintained/updated system.
The article also states that the government plans on having the upgrades completed, and the data available, by December. (I'm not going to touch the issue of how accurate this statement is.)
The article does go into a bit more detail than that... They use a program called TaintBochs (probably hacked from the open source emulater Bochs) to track sensitive data and find out where exactly it goes and how long it's there. This sounds to me like a nifty hack, and they're actually doing research to come up with quantitative results on how long data sticks around, instead of just saying, "Um, yeah, stuff gets swapped out."
Wouldn't this be a good reason for the OS to permit programs to pin pages in RAM? The only reason I can think of not to permit that would be that a hostile program could DOS a system by pinning lots of memory in RAM; if the OS strictly limits the amount of memory that a program can lock in RAM, that would fix that.
I think that gpg runs setuid just so that it can lock its memory in RAM; why don't Linux and Windows offer this feature to non-privileged programs?
I don't know that I agree with the statement that spammers are stupid - some of their tricks can be quite clever - but it is one of the recognized laws of spam, formulated by the inhabitants of news.admin.net-abuse.email on the basis of their experiences dealing with spam and spammers.
The documentation is often bad, nonexistent, and even misleading where it exists, so a fair amount of reverse engineering has been necessary, particularly in the shell (Explorer) interface. The biggest problem facing Wine though is simply lack of manpower. At one point, over 5000 people were working on Windows 2000. While Wine doesn't need to replicate all of Windows (we only cover the parts needed to make Windows programs work), that's still nearly 10 times more people working simply on one release than have ever worked on Wine, in the history of the project.
First, they say their main limitation is lack of manpower. Second, it's not that Microsoft has hidden the documentation, it's that Windows documentation "is often bad, nonexistent, and even misleading" - I've been under the impression that this is due more to sloppiness than to maliciousness on Microsoft's part, since MS, in general, benefits from making Windows an attractive program to developers, and bad docs work against this goal. I don't know that the EU ruling would make Microsoft go back and clean up their sloppy documentation.
Depending on what interfaces Microsoft is forced to open up, I could see opening the interfaces to be a huge benefit for interoperability with Active Directory and Exchange and for programs like Samba.
"Fedora Core" distinguishes the current, core distribution from various add-ons and alternatives (Fedora Extras and Fedora Alternatives) and from software packages for older distributions (Fedora Legacy). See here.
(There don't seem to be any packages released yet under Fedora Extras and Fedora Alternatives, but there's no harm in planning ahead, I guess. Fedora Legacy is alive and active and has already released several updates for Red Hat 7.2/7.3/8.0.)
This isn't really a new argument. Marcus Ranum's web site, for example, contains a counterargument, links to articles discussing arguments for and against, a link to the paper by Dan Geer that brought the monoculture argument into the limelight, and some sarcastic comments on the new monoculture study that the C|Net article mentions. ("$750,000 to sit around and whine about Microsoft? How do I get a gig like that?!")
Out of curiosity which of you out there will be effected by this? Is it more in the home or in the office? What services are you depending on these "older" systems running and what changes have you done to take care of them? I am just curious to hear from people out there.
Most of our college's servers - email, file, LDAP, DNS, one or two smaller DBs - are on Red Hat 7.2. I haven't had to make any real changes yet to take care of them. They're all stable, they all work fine, so I just plan on rolling my own RPMs for any security releases in the immediate future.
In the not-so-immediate future, I'm going to upgrade to RHEL 3. I held off for academic pricing, which Red Hat didn't make available until last month (AFAIK), and that wasn't nearly enough time for me to upgrade all of our servers before RH7.2's EOL. And I'm finding that RHEL 3 is missing several features from RHL that I've come to depend on, which will complicate the upgrade.
I'm now uninstalling RedHat 7.3 and running Debian stable. Who cares about the cutting edge? I have users to serve.
...unless, of course, your users care about cutting edge, in which case things aren't quite so simple. Which is not intended as a criticism of Debian, it's just a comment.
When last I did look at Debian, though, it seemed to me that their security updates were rather slow in being released. This was enough to scare me away from Debian for a while. I know I'm getting a bit off-topic here, but are there any Debian users who could comment on that aspect of Debian?
Windows 98 = 8 years of support. I'd rather have 8 years of support for a buggy product than this.
In my experience, Windows 98, even with support from Microsoft, will consume a fair bit of effort just to keep functioning.
My unsupported RedHat 7.2 machines, on the other hand, are pretty much rock solid. The only thing that they really need now is the occasional security update, which you can get from Progency, or from Fedora Legacy, or you can roll your own. Rolling your own RPM isn't too hard, and in a lot of cases you can simply take the SRPM from Red Hat or Fedora and rebuild it for your system. Rolling your own updates for Windows isn't really an option, and Windows 98 would be such an unstable basis that I'd consider it a waste of effort.
I'm sure Scott Kirwin, founder of the Information Technology Professionals Association of America, made this comment from his cell phone, lodged behind the wheel of his luxury car headed back to his 6 bedroom $2.5M home, fresh off a lunch of caviar and Dom Perignon... I hate to think that the head of an organization named the Information Technology Professionals Association of AMERICA could hold such a dim view of American technology workers.
I think that Scott Kirwin, founder of the Information Technology Professionals Association of America, is being a tad sarcastic in his quote. If you look at the ITPAA's web site (I couldn't access it at the moment, but I used Google's cache), they're opposed to outsourcing.
The Yahoo article states that the same tech firms defending moving jobs overseas are also pushing for better education in the U.S. Kirwin's quote is presented in the article as a counterpoint.
In my experience, MS APIs have some of the best documentation out there; I've never come across a situation where I would need to see the source code after reading the relevant pages on MSDN.
Library source code can be extremely useful for debugging; you can step through the library to see what exactly causes your library calls to fail, to see if your problems are caused by a bug within the library, and to more easily get a feel for how the library works in general.
There are also times when you may want to use the APIs in ways never foreseen by even the best documentation. (For example, ever try writing a Linux emulator for Windows?) Library source code can be helpful here too.
Slashdot Mirror
Make a corporate-friendly, highly manageable release of Firefox: an MSI installer, so it can be easily deployed via Active Directory; management via Group Policy; default settings that don't make a mess of your roaming profile.
If Round Two did this, I imagine that they could make a decent income from organizations that are tired of IE but want something easier to deploy and maintain than Firefox.
Mozilla bug #74085, comment 113 expresses these shortcomings of Firefox better than I did and provides more information on the above issues.
In my experience, FrontPage actually works quite a bit better with Apache 2.0. FrontPage for Apache 1.x requires patching your Apache or downloading pre-patched binaries from rtr.com or Microsoft. FrontPage for Apache 2 can load cleanly as a module, no server modifications needed.
If you want the offical notice of Apache 2 support, see here.
You can make the search bar wider by editng your userChrome.css file as described here. Of course, there's no point to manually tweaking Firefox like this if you're happy with Mozilla.
Keep in mind, though, that the .edu pricing includes no support whatsoever.
Yes, just open the Address BOok and click "New List."
It's not quite that bad. You can write the signature within Thunderbird itself, rather than using Notepad, then save it to a text or HTML file. And you can set up multiple identities, each with their own signature, and change them on the fly while composing a new message.
I would agree that it's still a lot kludgier than it should be.
A fourth reason - free-as-in-beer, closed-source spyware removal utilities are already ripped off by unethical software companies (see here for an example), and this would discourage people from making open-source utilities that would be even easier to rip off.
"Never try to extort more than it costs to have you killed."
Security by Obscurity, no matter who does it, it is still bad. Just because the WHOLE WORLD didn't know about it, doesn't mean some virus writer didn't; it just meant everyone continued to use un-patched Java installs in blissfull ignorance of the risk.
You're saying that vulnerability details should be announced before patches are completed? I'm afraid I disagree. There's a fair bit of evidence (see stories here and here) that black hats are using vulnerability announcements and patches to find exploits rather than finding them themselves. If that's the case, keeping vulnerabilities quiet until the software company's had a chance to patch them is a good idea, even if security through obscurity is in general a bad idea.
Could you please elaborate on problems you've had with SLOX? Our organization is getting ready to purchase some groupware, and SLOX was one of the leading options that I was considering.
I'm not certain that I understand your point.
SPF states that the DNS server of the sending domain says who is permitted to send mail. Unless spammers' zombie machines are DNS servers, they'll never get a chance to reply that they sent the messages or send ACK signals or anything of the sort.
Going after the spammers' clients is a good idea, but there's also value in pursuing technical solutions such as this.
I'd agree that gross incompentence is a fair accusation. (The same sort of gross incompetence that, for example, gets the DoI kicked offline three times.) I am suggesting, though, that gross incompetence (instead of a conspiracy to keep data secret) might be a sufficient explanation.
Or it might not. Maybe I'm not distrustful enough of government.
One of my Linux machines is currently suffering from some substandard SCSI equipment and some DMA problems on one of the hard drive controllers; until I can schedule the downtime for software upgrades and hardware troubleshooting, I'm leaving things the way they are. As long as that's the case, the system mostly works, but certain disk-intensive operations (such as searching hundreds of MB of logs) degrade performance enough to make the system nearly unusable.
I doubt that this is terribly relevant to the computing problems experienced by massive government databases, but I can at least conceive of how a "mass export of all stored images" (to quote the article) could significantly interfere with the database's everyday usage on a sufficiently poorly-designed/maintained/updated system.
The article also states that the government plans on having the upgrades completed, and the data available, by December. (I'm not going to touch the issue of how accurate this statement is.)
The article does go into a bit more detail than that... They use a program called TaintBochs (probably hacked from the open source emulater Bochs) to track sensitive data and find out where exactly it goes and how long it's there. This sounds to me like a nifty hack, and they're actually doing research to come up with quantitative results on how long data sticks around, instead of just saying, "Um, yeah, stuff gets swapped out."
Wouldn't this be a good reason for the OS to permit programs to pin pages in RAM? The only reason I can think of not to permit that would be that a hostile program could DOS a system by pinning lots of memory in RAM; if the OS strictly limits the amount of memory that a program can lock in RAM, that would fix that.
I think that gpg runs setuid just so that it can lock its memory in RAM; why don't Linux and Windows offer this feature to non-privileged programs?
I don't know that I agree with the statement that spammers are stupid - some of their tricks can be quite clever - but it is one of the recognized laws of spam, formulated by the inhabitants of news.admin.net-abuse.email on the basis of their experiences dealing with spam and spammers.
The Wine FAQ states,
First, they say their main limitation is lack of manpower. Second, it's not that Microsoft has hidden the documentation, it's that Windows documentation "is often bad, nonexistent, and even misleading" - I've been under the impression that this is due more to sloppiness than to maliciousness on Microsoft's part, since MS, in general, benefits from making Windows an attractive program to developers, and bad docs work against this goal. I don't know that the EU ruling would make Microsoft go back and clean up their sloppy documentation.
Depending on what interfaces Microsoft is forced to open up, I could see opening the interfaces to be a huge benefit for interoperability with Active Directory and Exchange and for programs like Samba.
I'm pretty sure that MS has. PartitionMagic and Ghost, for example, can both read and write NTFS partitions.
The specs for NTFS have not been released publicly, which is why the Linux implementation of NTFS is so incomplete.
"Fedora Core" distinguishes the current, core distribution from various add-ons and alternatives (Fedora Extras and Fedora Alternatives) and from software packages for older distributions (Fedora Legacy). See here.
(There don't seem to be any packages released yet under Fedora Extras and Fedora Alternatives, but there's no harm in planning ahead, I guess. Fedora Legacy is alive and active and has already released several updates for Red Hat 7.2/7.3/8.0.)
This isn't really a new argument. Marcus Ranum's web site, for example, contains a counterargument, links to articles discussing arguments for and against, a link to the paper by Dan Geer that brought the monoculture argument into the limelight, and some sarcastic comments on the new monoculture study that the C|Net article mentions. ("$750,000 to sit around and whine about Microsoft? How do I get a gig like that?!")
Out of curiosity which of you out there will be effected by this? Is it more in the home or in the office? What services are you depending on these "older" systems running and what changes have you done to take care of them? I am just curious to hear from people out there.
Most of our college's servers - email, file, LDAP, DNS, one or two smaller DBs - are on Red Hat 7.2. I haven't had to make any real changes yet to take care of them. They're all stable, they all work fine, so I just plan on rolling my own RPMs for any security releases in the immediate future.
In the not-so-immediate future, I'm going to upgrade to RHEL 3. I held off for academic pricing, which Red Hat didn't make available until last month (AFAIK), and that wasn't nearly enough time for me to upgrade all of our servers before RH7.2's EOL. And I'm finding that RHEL 3 is missing several features from RHL that I've come to depend on, which will complicate the upgrade.
I'm now uninstalling RedHat 7.3 and running Debian stable. Who cares about the cutting edge? I have users to serve.
...unless, of course, your users care about cutting edge, in which case things aren't quite so simple. Which is not intended as a criticism of Debian, it's just a comment.
When last I did look at Debian, though, it seemed to me that their security updates were rather slow in being released. This was enough to scare me away from Debian for a while. I know I'm getting a bit off-topic here, but are there any Debian users who could comment on that aspect of Debian?
Windows 98 = 8 years of support. I'd rather have 8 years of support for a buggy product than this.
In my experience, Windows 98, even with support from Microsoft, will consume a fair bit of effort just to keep functioning.
My unsupported RedHat 7.2 machines, on the other hand, are pretty much rock solid. The only thing that they really need now is the occasional security update, which you can get from Progency, or from Fedora Legacy, or you can roll your own. Rolling your own RPM isn't too hard, and in a lot of cases you can simply take the SRPM from Red Hat or Fedora and rebuild it for your system. Rolling your own updates for Windows isn't really an option, and Windows 98 would be such an unstable basis that I'd consider it a waste of effort.
I think that Scott Kirwin, founder of the Information Technology Professionals Association of America, is being a tad sarcastic in his quote. If you look at the ITPAA's web site (I couldn't access it at the moment, but I used Google's cache), they're opposed to outsourcing.
The Yahoo article states that the same tech firms defending moving jobs overseas are also pushing for better education in the U.S. Kirwin's quote is presented in the article as a counterpoint.
Library source code can be extremely useful for debugging; you can step through the library to see what exactly causes your library calls to fail, to see if your problems are caused by a bug within the library, and to more easily get a feel for how the library works in general.
There are also times when you may want to use the APIs in ways never foreseen by even the best documentation. (For example, ever try writing a Linux emulator for Windows?) Library source code can be helpful here too.