Agreed, MacOS is severely lacking in the virtualization department. As a long time user of VMWare, I can say that Parallels doesn't stack up in comparison. Lack of multiple snapshots and, well, a general lack of the snappiness I've come to expect from VMWare on Linux or Windows is missing. VMWare's lack of product for MacOS X is especially disappointing to me as a new Intel iMac owner.
In other news, I've thought that VMWare and Apple were really missing a great opportunity with respect to virtualization. Apple wants to limit the hardware that MacOS X will run in to Apple blessed hardware. This is for two reasons: 1. They want to drive sales of Mac hardware. 2. It's a pain to support lots of models of PC.
If Apple and VMWare were to partner to release a free MacOS X virtual machine, it would allow Apple to get OS X into the hands of more prospective customers. (I haven't met a person who has *used* OS X for any length of time and not loved it.) Such an arrangment would also be good publicity for VMWare. VMWare already has a product that allows for some lockdown of virtual machines (VMWare ACE). Such an arrangement wouldn't violate Apple's goals with MacOS X (limited hardware support overhead, and MacOS X would be much more desireable on native hardware for OpenGL and whatnot). Such a move would certainly drive sales. All of a sudden millions of Windows users potentially get sucked up into Apple's product upgrade cycle: VMWare --> Mac hardware.
I wrote about this on my blog (blog.thoughtspot.net) a while back, but Dreamhost appears to be taking a dirt nap at the moment.
-Peter
Virtualization in general would be a big win.
on
OSx86 Cracked Again
·
· Score: 2, Interesting
As I wrote earlier Apple would be well to do to relieve some of this pent-up desire for OS X and capitalize on it by releasing a VMWare image that is sufficiently locked down for their own peace of mind.
The audience for OS X grows to anyone who can run VMWare player, they get Windows users into an Apple product upgrade cycle (upgrade to real hardware!), they still get to control the user experience the way they want to (no b0rked hacked video drivers), and best of all they get to grow their developer base.
...despite their relatively small developer and user community.
The Q3/4 status report indicates what seems to be the modus operandi for the NetBSD team: consistent incremental gains.
I have an immense amount of respect for the NetBSD project. OpenBSD drives the BSDs (and Linux) to be more secure. FreeBSD traditionally has shown us what a great administrative user experience should be like. NetBSD continues to show us the way with respect to proper system architecture.
For example, NetBSD and FreeBSD (and OpenBSD?) natively support the same wireless hardware that Linux does. The difference? I can configure WEP and/or WPA through the exact same ifconfig that I use to configure a wired ethernet interface. No madwifi drivers. No 'download' wpa_supplicant. No difference that I'm setting up "different" network hardware. It's all just network hardware.
In my opinion Linux's weakest point is its kernel. The userland is great for the most part, but the kernel and the parts of the userland that deal directly with the kernel seem to be its major flaw. To follow the networking example: because the underlying wireless system is so fragmentary in Linux, NetworkManager (a good attempt at a friendly gui network profile configurator) feels like a bit of a bubblegum and bailing wire solution. This isn't NetworkManager's fault, it's Linux's for not providing a consistent system API for wireless. In NetBSD (FreeBSD & OpenBSD?) this isn't the case.
Alas, Linux (and it's collection of cool features like boot splash screens, polished user interfaces and installers, good binary OpenGL video drivers, great hardware detection utilities, commercial support on the server side, native Sun Java support, etc.) enjoys ubiquity while well architected systems like NetBSD languish in relative obscurity.
The cool Linux features often feel hackish (have you ever built an isolinux splash screen? NetBSD has always struck me as a natural choice for building a user-oriented/workstation distribution. Some of the little features are missing in NetBSD, but they could be added easily by a team focused on such a task. If a Mark Shuttleworth style billionaire pulled an Ubuntu with NetBSD, I think the world would generally be a better place.
Ubuntu has started by locking the root account and making proper use of sudo (and it's various graphical equivalents).
This is increadibly handy. Not that you couldn't do this on other distributions, but it's nice to see this feature in Ubuntu by default. I'm partial to OpenSUSE myself, but their (and many others') handling of sudo is misinformed.
...and are involved in a flame war, why don't we start a constructive thread?
You GNUStep users out there: How do you configure your desktop? I've noticed that GWorkspace and Window Maker like to compete for how they manage virtual desktops.
Also, I'm not sure what application I should be using as a dock? Window Maker? Something written in GNUStep?
GNUStep seems like it's just about ready to start seeing some early adopter use, though I agree that the UI could use some spit and polish. How is work on Camaelon coming?
Also, does anyone know if Gorm is supporting Renaissance yet? It would be lovely to be able to target user interfaces for both Mac OS X and GNUStep. Maybe Gorm could be used as a drop-in replacement for Interface Builder when one wants to make a cross-platform app supporting GNUStep and OS X Cocoa?
I run FreeBSD 5.2 on a four-way Xeon box at work and thank Apple every day. If it weren't for the Mach micokernel from Apple we wouldn't be able to do these nice things with FreeBSD now or probably ever.
Actually, FreeBSD does not use the Mach microkernel. FreeBSD, NetBSD, and OpenBSD all use their own traditional kernels. The only free BSD flavor to sport a microkernel is Darwin (and its variant OpenDarwin). Actually, according to Apple, Darwin does not even support SMP on x86 platforms currently (though I'm sure this will change with Apple's transition to Intel)
Apple's pattern is to sync every major Mac OS X release with the latest major FreeBSD release.
Actually, this is only partly true. They tend to mix and match bits of the BSD userland from FreeBSD and NetBSD.
Apple's biggest contribution has been in the form of good press. Actually, Apple's OS only sort of resembles FreeBSD. The init plumming is all different. Directory structures are very different. NetInfo is very different indeed than FreeBSD's more traditional model for user management, etc.
And what's with the link in your last line to trollaxor.com? (Look at the period at the end of the last sentence.) As glowing an endorsement this would seem of FreeBSD and Apple (of which I'm fond of both), it would seem maybe that a lot of mods were cleverly trolled?
I tend to be a little skeptical of these kind of heuristic bandwidth capping systems myself. As it turns out I work in a large, very decentralized organization that has actually used bittorrent internally as an emergency distribution mechanism.
Such a system would have to be tuned properly, and yes, bittorrent would probably be a casualty of this sort of thing. Often times the tuning of these sorts of systems can be nearly impossible in a big organization that cannot have downtime or helpdesk calls from false positives. As a result, these systems are often turned down to a state where they are not nearly as effective as they should be.
I've mentioned this before, but there are other anti-worm systems that do not risk high numbers of false positives or that risk breaking occasionally useful tools like bittorrent. Disclaimer: I have worked with these guys in the past, so I may bit biased:-) Nevertheless, it's the only "enterprise friendly" system of its kind that I've seen.
I keep thinking that the world would be better off if more developers payed attention to GNUStep.
Why not do it in a sane way such as:
Pick your hardware support carefully. NetBSD is good for this as things either work really well (usually the case), or they aren't supported at all. (I can configure NetBSD to use my Atheros wireless card out of the box using ifconfig. In Linux I have to know to download a beta "Mad Wifi" driver.)
Concern yourself with building the building block app kits like Apple has done. One of Apple's programming examples is TextEdit, which ships with the OS! Apple is agile because they have all the tinker toys, they just need to glue them together now.
Work on the Gui integration bits (i.e. wireless network controls, network profiles, video resolutions, printer management, etc) but do it with a cleanly abstracted design. Make sure that each item works flawlessly with a common set of hardware before expanding hardware support or adding features.
Build a community of app developers who like consistent look and feel and adhere to UI guidelines.
Take advantage of cross pollination from Apple. Allow app developers to build for StepBSD and Apple reasonably easily.
This is my hope for a desktop oriented BSD. I'm typing this from OS X on my powerbook, but I think the world still needs a compelling open platform.
Could you possibly make a more arrogant comment? God save american egocentrism.
Well, given the context of his post, I'd say this is more likely to be an instance of Australian egocentrism.
Even still, I must say that I've been to Moscow twice in the past 4 years and that their (albeit aging) metro system compares favorably to any of the others that I've seen in most other places.
Here's a stat for you: More people ride the Moscow metro per day than ride the London "tube" and the Tokyo metro systems per day combined.
It just so happens that AIX support is a little behind the other platforms with pkgsrc. Nevertheless, I know what horse to bet on. Pkgsrc is amazing.
I'm actually trying to work out an issue with pkgsrc on AIX as we speak (perl58 is broken).
When I send the NetBSD people my donation, It'll be with a thank you card.
-Peter
Complaints about stability have plagued 5.x
on
FreeBSD 5.4 Review
·
· Score: 4, Interesting
Speaking as a former FreeBSD user, I want this operating system to work again. I was disappointed to find that that didn't happen with 5.4-RELEASE. If you have FreeBSD 4.11 production machines and are thinking of upgrading, I suggest you leave them as they are for now.
This is sad. I too remember fondly the 4.x days. FreeBSD hasn't made the transition to these "enterprise" features like the ULE scheduler, and getting out from under the "big lock" SMP.
The 4.x series is still alive and well, but the writing is on the wall. If the FreeBSD 5.x series doesn't start fixing some of those show-stoppers, it risks becoming irrelevant.
NetBSD and OpenBSD seem to have found their niche to a certain extent. I suspect that some network equipment vendor like HP will start putting OpenBSD in switches and routers. It seems like Cisco and IOS have the most to lose from OpenBSD gaining ground.
NetBSD seems to chug away at its own pace making solid incremental gains. They tend toward evolutionary rather than revolutionary changes. When they do make more revolutionary changes, they tend to include them in small numbers, and only after a long period of vetting in the current branch.
The laundry list of improvements to FreeBSD 5.x makes me wonder if that project didn't bite off more than it could chew. That the BSD faithful are starting to raise questions about the long road to stability with FreeBSD 5.x should be a warning to other Open Source projects to stick to regular release cycles with clearly defined and narrowly scoped improvements.
I suspect that FreeBSD development may have slowed somewhat due to the "fun factor" waning. Announcing Big Gigantic Changes can be good to generate enthusiasm in a user base, but it can be oppressive to the poor developers caught doing the work. Lots of small, discrete tasks can be fun for experienced developers, and a good way to snag novices.
Despite these problems, FreeBSD has very recently been a very vibrant project. They have traditionally had a level of coordination rarely seen in any other Open Source project. I think this can work, but FreeBSD 5.x may fall into the "lessons learned" category.
Or, as I mention in my blog, Darwin may see a surge in popularity following Apple's Intel announcement. -Peter
Wouldn't this be a successful argument for platform diversity? They have the motivation to write complex malware, but do they have the motivation to write complex and cross-platform malware?
Excellent point. However, in practice it can be a tricky balance. For example, a company that runs AIX on the Power architecture is less likely to be vulnerable to the buffer overflow exploit of the week than say Linux on Intel.
The trade off becomes "patch early, and patch often" versus "maintain an expensive development/build environment for a relatively obscure platform that sucks to build software on." As a person who has witnessed this phenomenon first hand and has felt the full pain of building all the standard OSS on AIX, I can tell you that Linux/Intel starts looking pretty good at times.
As always, it's never black and white. Platform diversity == good. Too much platform diversity == major pain in the ass.
Worms typically don't use the "standard" IRC ports. Most organizations don't have tough egress filtering in place, but folks should start considering, "block all outbound ports except port 80". Even so, it's still possible for nasty traffic to go out on port 80, then, isn't it?
The whole problem is twofold. The first is stupid users... The second is privilege escalation at the binary level.
Human stupidity is greatly amplified by weak architectures. If one lucky user gets a malicious email and executes the attachment (after unlocking the password protected zip and clicking on "Natalie_Portman_Naked.zip") that's bad enough. But cleaning up dozens or hundreds of PC systems clobbered by the resulting worm infestation is catastrophic. The industry is only starting to realize that we need better tools to fix stupid.
Automated access to large numbers of systems inside big corporations and government, where they collect passwords, account names, scan for vulnerabilities and gather information from PC disk drives for evaluation and sale (corporate espionage). Use of thousands of home systems for spambots and DDoS attack fleets. It's all about organized crime and money to be made these days.
No, it ain't just kiddies seeing who they can 0wn anymore. They are playing for keeps now.
Well, that's the point with this article. We're starting to see a shift from lots of small time crooks to larger, more organized groups using increasingly more sophisticated attacks.
But, does every end user need to be a damned security expert? Sorry, but the average Joe shouldn't have to know what the hell a host based firewall is, much less if it's a good one.
Sorry, cowboy, if you are looking for easy (Gentoo doesn't cut it) and reasonably secure, the Mac is a pretty good option.
Now, if you notice, the second part of my post dealt directly with defense in depth for enterprises that pay for real, professional security experts to mitigate the risks of running Windows. Windows can be managed, but it's expensive and requires more due dilligence than some other platforms that ship with a better default security posture.
Congrats on the purchase of your Venitian AMD64. When *you* get off your duff and provide support to *my* extended family's fleet of PCs at slash-rate prices, I'll list you as an alternative to buying an Apple.
This is really starting to smack of organized crime. A friend of mine forwarded an article to me on this last night.
If you are an end user who just wants to use your computer, it may be time to look at getting a Mac. The bar for information security in the face of this level of organization is getting too tall for your average end user.
If you are in an enterprise situation and have a usage policy that allows users to use corporate equipment for personal banking on breaks, you may want to reconsider that policy.
Oftentimes, computer usage is negotiated by labor unions and you cannot simply change computer use policy out from underneath users. In this case, I wonder what the legal responsibilities of the company are to exercise due dilligence in protecting its end users?
If you haven't already done so, it's time for a lesson in defense in depth. That means IDS, IPS, Firewalls, Antivirus, Spam blockers, AV web proxies, etc. And because perimeter defense is all but a quaint memory in today's more agressive world, you may want to look at host-based firewalls and other AntiWorm systems.
Well, my client is about 3 times your size and most likely many orders of magnitude more decentralized, but yes, it sounds like you're probably doing a better job at ESM.
You can do all of the things you talk about if you've got enough people to develop and maintain a Windows infrastructure. Windows offers some premium services and some different services than a *nix infrastructure, but it is more labor intensive in big, distributed environments.
If your labor pool is fixed (and in the government, it usually is), gaining economies of scale is a patently good thing.
Now, if only I had a nick name that presupposed a bias, I suppose I'd look like a zealot now:-)
...for contractors such as myself whose clients include big civilian federal agencies.
I try to pitch open technologies when I can, but there is historical bias against open platforms like Linux. The more announcements like this happen, the easier it becomes to make a case for Linux/BSD on the server, and maybe some day on the desktop. I suspect that as a few of the more progressive agencies adopt Linux, the more conservative ones will follow.
Protecting Windows against the malware of the week in a big enterprise is a tough job. Enterprise system management is also a tough job without an army of foot soldiers who scurry around fixing breakages in software distribution system endpoints.
Linux/BSD starts looking pretty good when you start talking tens of thousands of machines to manage...
Blocked sinuses? No problem! Just as a carefully contained fire can clear a forest choked with dense undergrowth, so too can fire cleanse your sinuses of all manner of ills.
Slashdot Mirror
Agreed, MacOS is severely lacking in the virtualization department. As a long time user of VMWare, I can say that Parallels doesn't stack up in comparison. Lack of multiple snapshots and, well, a general lack of the snappiness I've come to expect from VMWare on Linux or Windows is missing. VMWare's lack of product for MacOS X is especially disappointing to me as a new Intel iMac owner.
In other news, I've thought that VMWare and Apple were really missing a great opportunity with respect to virtualization. Apple wants to limit the hardware that MacOS X will run in to Apple blessed hardware. This is for two reasons: 1. They want to drive sales of Mac hardware. 2. It's a pain to support lots of models of PC.
If Apple and VMWare were to partner to release a free MacOS X virtual machine, it would allow Apple to get OS X into the hands of more prospective customers. (I haven't met a person who has *used* OS X for any length of time and not loved it.) Such an arrangment would also be good publicity for VMWare. VMWare already has a product that allows for some lockdown of virtual machines (VMWare ACE). Such an arrangement wouldn't violate Apple's goals with MacOS X (limited hardware support overhead, and MacOS X would be much more desireable on native hardware for OpenGL and whatnot). Such a move would certainly drive sales. All of a sudden millions of Windows users potentially get sucked up into Apple's product upgrade cycle: VMWare --> Mac hardware.
I wrote about this on my blog (blog.thoughtspot.net) a while back, but Dreamhost appears to be taking a dirt nap at the moment.
-Peter
As I wrote earlier Apple would be well to do to relieve some of this pent-up desire for OS X and capitalize on it by releasing a VMWare image that is sufficiently locked down for their own peace of mind.
The audience for OS X grows to anyone who can run VMWare player, they get Windows users into an Apple product upgrade cycle (upgrade to real hardware!), they still get to control the user experience the way they want to (no b0rked hacked video drivers), and best of all they get to grow their developer base.
Seems like a win-win.
-Peter
Was this a subtle dig at the iPod Nano's screen? Do I really want to run a stylus across a screen made by Apple? *ducks*
-Peter
...despite their relatively small developer and user community.
The Q3/4 status report indicates what seems to be the modus operandi for the NetBSD team: consistent incremental gains.
I have an immense amount of respect for the NetBSD project. OpenBSD drives the BSDs (and Linux) to be more secure. FreeBSD traditionally has shown us what a great administrative user experience should be like. NetBSD continues to show us the way with respect to proper system architecture.
For example, NetBSD and FreeBSD (and OpenBSD?) natively support the same wireless hardware that Linux does. The difference? I can configure WEP and/or WPA through the exact same ifconfig that I use to configure a wired ethernet interface. No madwifi drivers. No 'download' wpa_supplicant. No difference that I'm setting up "different" network hardware. It's all just network hardware.
In my opinion Linux's weakest point is its kernel. The userland is great for the most part, but the kernel and the parts of the userland that deal directly with the kernel seem to be its major flaw. To follow the networking example: because the underlying wireless system is so fragmentary in Linux, NetworkManager (a good attempt at a friendly gui network profile configurator) feels like a bit of a bubblegum and bailing wire solution. This isn't NetworkManager's fault, it's Linux's for not providing a consistent system API for wireless. In NetBSD (FreeBSD & OpenBSD?) this isn't the case.
Alas, Linux (and it's collection of cool features like boot splash screens, polished user interfaces and installers, good binary OpenGL video drivers, great hardware detection utilities, commercial support on the server side, native Sun Java support, etc.) enjoys ubiquity while well architected systems like NetBSD languish in relative obscurity.
The cool Linux features often feel hackish (have you ever built an isolinux splash screen? NetBSD has always struck me as a natural choice for building a user-oriented/workstation distribution. Some of the little features are missing in NetBSD, but they could be added easily by a team focused on such a task. If a Mark Shuttleworth style billionaire pulled an Ubuntu with NetBSD, I think the world would generally be a better place.
-Peter
Ubuntu has started by locking the root account and making proper use of sudo (and it's various graphical equivalents).
This is increadibly handy. Not that you couldn't do this on other distributions, but it's nice to see this feature in Ubuntu by default. I'm partial to OpenSUSE myself, but their (and many others') handling of sudo is misinformed.
-Peter
Bastards!
Well that just tears it. I'm starting a distro call Zlackware that uses zsh.
-Peter
...and are involved in a flame war, why don't we start a constructive thread?
You GNUStep users out there: How do you configure your desktop? I've noticed that GWorkspace and Window Maker like to compete for how they manage virtual desktops.
Also, I'm not sure what application I should be using as a dock? Window Maker? Something written in GNUStep?
GNUStep seems like it's just about ready to start seeing some early adopter use, though I agree that the UI could use some spit and polish. How is work on Camaelon coming?
Also, does anyone know if Gorm is supporting Renaissance yet? It would be lovely to be able to target user interfaces for both Mac OS X and GNUStep. Maybe Gorm could be used as a drop-in replacement for Interface Builder when one wants to make a cross-platform app supporting GNUStep and OS X Cocoa?
-Peter
Actually, FreeBSD does not use the Mach microkernel. FreeBSD, NetBSD, and OpenBSD all use their own traditional kernels. The only free BSD flavor to sport a microkernel is Darwin (and its variant OpenDarwin). Actually, according to Apple, Darwin does not even support SMP on x86 platforms currently (though I'm sure this will change with Apple's transition to Intel)
Actually, this is only partly true. They tend to mix and match bits of the BSD userland from FreeBSD and NetBSD.
Apple's biggest contribution has been in the form of good press. Actually, Apple's OS only sort of resembles FreeBSD. The init plumming is all different. Directory structures are very different. NetInfo is very different indeed than FreeBSD's more traditional model for user management, etc.
And what's with the link in your last line to trollaxor.com? (Look at the period at the end of the last sentence.) As glowing an endorsement this would seem of FreeBSD and Apple (of which I'm fond of both), it would seem maybe that a lot of mods were cleverly trolled?
-Peter
I tend to be a little skeptical of these kind of heuristic bandwidth capping systems myself. As it turns out I work in a large, very decentralized organization that has actually used bittorrent internally as an emergency distribution mechanism.
:-) Nevertheless, it's the only "enterprise friendly" system of its kind that I've seen.
Such a system would have to be tuned properly, and yes, bittorrent would probably be a casualty of this sort of thing. Often times the tuning of these sorts of systems can be nearly impossible in a big organization that cannot have downtime or helpdesk calls from false positives. As a result, these systems are often turned down to a state where they are not nearly as effective as they should be.
I've mentioned this before, but there are other anti-worm systems that do not risk high numbers of false positives or that risk breaking occasionally useful tools like bittorrent. Disclaimer: I have worked with these guys in the past, so I may bit biased
-Peter
Why not do it in a sane way such as:
This is my hope for a desktop oriented BSD. I'm typing this from OS X on my powerbook, but I think the world still needs a compelling open platform.
-Peter
Well, given the context of his post, I'd say this is more likely to be an instance of Australian egocentrism.
Even still, I must say that I've been to Moscow twice in the past 4 years and that their (albeit aging) metro system compares favorably to any of the others that I've seen in most other places.
Here's a stat for you: More people ride the Moscow metro per day than ride the London "tube" and the Tokyo metro systems per day combined.
-Peter
It just so happens that AIX support is a little behind the other platforms with pkgsrc. Nevertheless, I know what horse to bet on. Pkgsrc is amazing.
I'm actually trying to work out an issue with pkgsrc on AIX as we speak (perl58 is broken).
When I send the NetBSD people my donation, It'll be with a thank you card.
-Peter
This is sad. I too remember fondly the 4.x days. FreeBSD hasn't made the transition to these "enterprise" features like the ULE scheduler, and getting out from under the "big lock" SMP.
The 4.x series is still alive and well, but the writing is on the wall. If the FreeBSD 5.x series doesn't start fixing some of those show-stoppers, it risks becoming irrelevant.
NetBSD and OpenBSD seem to have found their niche to a certain extent. I suspect that some network equipment vendor like HP will start putting OpenBSD in switches and routers. It seems like Cisco and IOS have the most to lose from OpenBSD gaining ground.
NetBSD seems to chug away at its own pace making solid incremental gains. They tend toward evolutionary rather than revolutionary changes. When they do make more revolutionary changes, they tend to include them in small numbers, and only after a long period of vetting in the current branch.
The laundry list of improvements to FreeBSD 5.x makes me wonder if that project didn't bite off more than it could chew. That the BSD faithful are starting to raise questions about the long road to stability with FreeBSD 5.x should be a warning to other Open Source projects to stick to regular release cycles with clearly defined and narrowly scoped improvements.
I suspect that FreeBSD development may have slowed somewhat due to the "fun factor" waning. Announcing Big Gigantic Changes can be good to generate enthusiasm in a user base, but it can be oppressive to the poor developers caught doing the work. Lots of small, discrete tasks can be fun for experienced developers, and a good way to snag novices.
Despite these problems, FreeBSD has very recently been a very vibrant project. They have traditionally had a level of coordination rarely seen in any other Open Source project. I think this can work, but FreeBSD 5.x may fall into the "lessons learned" category.
Or, as I mention in my blog, Darwin may see a surge in popularity following Apple's Intel announcement.
-Peter
Excellent point. However, in practice it can be a tricky balance. For example, a company that runs AIX on the Power architecture is less likely to be vulnerable to the buffer overflow exploit of the week than say Linux on Intel.
The trade off becomes "patch early, and patch often" versus "maintain an expensive development/build environment for a relatively obscure platform that sucks to build software on." As a person who has witnessed this phenomenon first hand and has felt the full pain of building all the standard OSS on AIX, I can tell you that Linux/Intel starts looking pretty good at times.
As always, it's never black and white. Platform diversity == good. Too much platform diversity == major pain in the ass.
-Peter
Worms typically don't use the "standard" IRC ports. Most organizations don't have tough egress filtering in place, but folks should start considering, "block all outbound ports except port 80". Even so, it's still possible for nasty traffic to go out on port 80, then, isn't it?
-Peter
Human stupidity is greatly amplified by weak architectures. If one lucky user gets a malicious email and executes the attachment (after unlocking the password protected zip and clicking on "Natalie_Portman_Naked.zip") that's bad enough. But cleaning up dozens or hundreds of PC systems clobbered by the resulting worm infestation is catastrophic. The industry is only starting to realize that we need better tools to fix stupid.
-Peter
Automated access to large numbers of systems inside big corporations and government, where they collect passwords, account names, scan for vulnerabilities and gather information from PC disk drives for evaluation and sale (corporate espionage). Use of thousands of home systems for spambots and DDoS attack fleets. It's all about organized crime and money to be made these days.
No, it ain't just kiddies seeing who they can 0wn anymore. They are playing for keeps now.
Well, that's the point with this article. We're starting to see a shift from lots of small time crooks to larger, more organized groups using increasingly more sophisticated attacks.
-Peter
Yes, you can secure a windows box.
But, does every end user need to be a damned security expert? Sorry, but the average Joe shouldn't have to know what the hell a host based firewall is, much less if it's a good one.
Sorry, cowboy, if you are looking for easy (Gentoo doesn't cut it) and reasonably secure, the Mac is a pretty good option.
Now, if you notice, the second part of my post dealt directly with defense in depth for enterprises that pay for real, professional security experts to mitigate the risks of running Windows. Windows can be managed, but it's expensive and requires more due dilligence than some other platforms that ship with a better default security posture.
Congrats on the purchase of your Venitian AMD64. When *you* get off your duff and provide support to *my* extended family's fleet of PCs at slash-rate prices, I'll list you as an alternative to buying an Apple.
Cheers!
-Peter
This is really starting to smack of organized crime. A friend of mine forwarded an article to me on this last night.
If you are an end user who just wants to use your computer, it may be time to look at getting a Mac. The bar for information security in the face of this level of organization is getting too tall for your average end user.
If you are in an enterprise situation and have a usage policy that allows users to use corporate equipment for personal banking on breaks, you may want to reconsider that policy.
Oftentimes, computer usage is negotiated by labor unions and you cannot simply change computer use policy out from underneath users. In this case, I wonder what the legal responsibilities of the company are to exercise due dilligence in protecting its end users?
If you haven't already done so, it's time for a lesson in defense in depth. That means IDS, IPS, Firewalls, Antivirus, Spam blockers, AV web proxies, etc. And because perimeter defense is all but a quaint memory in today's more agressive world, you may want to look at host-based firewalls and other AntiWorm systems.
Good luck. We all need it.
-Peter
Well, my client is about 3 times your size and most likely many orders of magnitude more decentralized, but yes, it sounds like you're probably doing a better job at ESM.
:-)
You can do all of the things you talk about if you've got enough people to develop and maintain a Windows infrastructure. Windows offers some premium services and some different services than a *nix infrastructure, but it is more labor intensive in big, distributed environments.
If your labor pool is fixed (and in the government, it usually is), gaining economies of scale is a patently good thing.
Now, if only I had a nick name that presupposed a bias, I suppose I'd look like a zealot now
-Peter
...for contractors such as myself whose clients include big civilian federal agencies.
I try to pitch open technologies when I can, but there is historical bias against open platforms like Linux. The more announcements like this happen, the easier it becomes to make a case for Linux/BSD on the server, and maybe some day on the desktop. I suspect that as a few of the more progressive agencies adopt Linux, the more conservative ones will follow.
Protecting Windows against the malware of the week in a big enterprise is a tough job. Enterprise system management is also a tough job without an army of foot soldiers who scurry around fixing breakages in software distribution system endpoints.
Linux/BSD starts looking pretty good when you start talking tens of thousands of machines to manage...
-Peter
Does anybody know the status of keychain integration on Mac OS X?
I know that Camino exists, but I really like the nifty Firefox extensions. Unfortunately, keychain integration is really a killer feature for me.
Anyone else wish there were keychain integration? Maybe somebody has already started working on this?
-Peter
Ha!
Blocked sinuses? No problem! Just as a carefully contained fire can clear a forest choked with dense undergrowth, so too can fire cleanse your sinuses of all manner of ills.
Just one problem. What color should it be?
-Peter
I've been doing neti at home for several days trying to shake a sinus infection brought on by allergies. :-)
It remains to be seen if I'll find positive results.
-Peter