OpenOffice Base attempts to clone the Access experience whilst creating the stuff underneath in slightly more sensible formats.
Pig slow, and not Access, but it might suit some people trying to do this sort of thing. Certainly it isn't difficult, and probably requires less know-how than Access.
Re:Sendmail? In a secure system
on
Hardening Linux
·
· Score: 2, Informative
> Otherwise it will continue to stand to reason that sendmail has just as much place in a secure system today as Qmail.
Compare the security history since both qmail and postfix were released, lets choose January 2003, against sendmail.
CERT Vulnerability note search.
Sendmail 6 vulnerabilities including 4 buffer overflow vulnerabilities, at least one risks a remote root exploit, one was IBM specific and just silly IBM. Many prior ignored.
Postfix one DoS in 2003.
Qmail no hits.
Patching complex systems doesn't meaningfully reduce the number, or scope, of security holes in most cases, you need (re)engineering to do that, or at least rewriting problem areas from scratch. Software doesn't always age gracefully, as any programmer will tell you.
Given the much more extensive feature set of Postfix to Qmail, hey Qmail maybe quite secure, but it doesn't do very much, I choose Postfix. Sure Sendmail is improving, but they would have to release a whole new architecture to attract the security conscious system admins.
Indeed they have just announced a new sendmail with a security architecture that borrows heavily from the Postfix school of thought.
Don't get me wrong I'm just dismantling out last two sendmail servers, and they have done an okay job, but they required a lot more love and attention than Postfix would have to keep them going. Qmail is even easier if you only want what qmail does, otherwise it is patchomatic time, and I don't trust the qmail patches to be as secure as Dans code.
> Windows appears to beat linux on quite a few other tests (such as memory use of a 'hello world' program, the executable size, and even some of the 'cost of basic operations' tests)
The executable thing is a figment of comparing apples and oranges, the Unix code was statically linked, which is basically including all sorts of stuff that you wouldn't in the real world.
Good dynamic linking is something the Unix (and clones) have done for a while (read long before Windows even started on this route), and was why we could run fully featured, X Windows based, Office suites (and Window managers) for umpteen users simultaneously on 125MHz PA-RISC machines with 100 or so MB of memory, and still have memory spare. And you still see this edge if you compare terminal services like deployments.
The cost of operations is less on pretty much everything but thread stuff, but then the cost of creating a process is so low in Linux, threads are more of a convenience for programmers than a structural component, as others have discussed. Although I think there are advantages to good thread handling, cost of creation can usually be mitigated by maintaining pools of threads (as can the cost of process creation in Windows for certain tasks), certainly the typical environments where one uses threads for performance reasons (think Apache2).
The tests basically tell those who understand computers, that they understand them correctly. Windows is faster at creating threads, the Unix crowd is better at pretty much everything else. It is what you'd expect comparing server class OSes against a desktop system. No one really cares if XP can't fork a process efficiently, if you only run a new application every half an hour, but if you fork (or prefork) for every incoming email request, you better do it efficiently.
I don't quite follow the sequential I/O for small block sizes, the default blocksize in the Unix world for the traditional filesystems is typically 8Kb, and no one ever opts for smaller (well some of the new filesystems do), particularly if they expect a lot of sequential I/O when they opt for bigger, so faster sequential I/O for block sizes less than this is I suspect of no relevance in the real world. Probably just indicates code in the Unix systems that assumes a larger block size, and is thus redundant. Kind of like discovering that a human brick layer out performs your wall building machine, if you break all the brick in to pieces before you start, interesting, but mostly shows your wall building machine expected bricks to be, well, brick sized.
> You'd also think a high-level executive would be aware of what OS's are shipping and which are not.
Maybe SAP management don't know the difference between beta and release, it would explain a lot about SAP;)
I'm intrigued how an "innovative" desktop would be copying another, this must be some corporate definition of "innovative".
Of the more widely used desktops I've used, I think KDE has the most innovative things going on, MacOSX is still driving ease of use (good on em'), and GNOME seems to be heading in a similar direction. But I'm sure there are less well known desktops out there doing even more radical things.
Innovation doesn't usually happen at the center. People want Microsoft to do more of the same for their business desktop, I mean a radically simplified, network integrated, and more secure desktop for Windows Vista would go down like a brick if it didn't run 90%+ of existing Windows applications, even if it did fantastically novel things. Cue the HAL9000 upgrade sketch. http://paul.merton.ox.ac.uk/computing/hal-upgrade. html
> There are lots of alternatives to the Linksys routers.
I'd caution people, some of the WRT45Gs idea of "supported" may not be everyones idea of 'ease of use'.
However I'm fairly sure my last try failed because I was a trying stuff a bit beyond what was officially supported, thanks to some random patches, and I hadn't any experience of the hardware except for breaking it with a firmware upload, and finding the support people had no idea what "the original firmware" might mean as a phrase (how can people write that much source code and not type their email address in it somewhere ?!).
Halving the memory isn't an issue, WRT54G already support 2MB Flash, 8MB RAM from other routers and earlier model, it is presumably getting the code bootstrapped in the first place that creates the challenge.
I'd have thought there must be a bulk market for the Linksys WRT54G, with modified firmware, I'm surprised Linksys isn't chasing it. My Linksys router is running Linux, but it is running the stuff Linksys shipped which is adequate for the moment, I don't think I want to try figuring out ADSL support in Linux on non-x86 hardware this week.
You need some more doublethink for living on corporate earth.
I mean I struggle with the ethical consumer bit.
Kraft are currently being sued for spamming over the Gevalia marketing. Despite the legal denials, I doubt any other company was behind paying for such huge spam runs, so buying the wrong type of cheese snack, or savoury biscuit is supporting spamming, and I don't (knowingly) buy from thieves, and spammers.
Coca Cola on the other hand were criticised for being less than helpful when some of their managers (in the strange world of franchising, and deals that constitutes multinational business) were accused of using murder to control union issue. Which is no doubt why Googling for "Coca Cola Colombia" gets "cocacola.com.co" as only the second hit.
Now Monsanto's business ethics got to the point its own shareholders asked for an Ethical Oversite committee (although it could be the legal actions were beginning to hurt the shareholders pockets).
Now if you wander into a big supermarket, and look around, and buy only those products made by a company whose ethics are sound in every division, you'll probably go home empty handed, or nearly so. You'll almost certainly struggle to get a balanced diet.
The modern corporate world comes largely in shades of grey, even those who promise to "do no evil" seem to after they have been floated on the stock market, argh I used that earlier in writing this response.
I guess one could grow your own food, and drink rain water, but then have I always lived up to my own ethical standards....
> the vast majority of sites use name-based virtual hosting, and this worm just uses the IP address
Ah lightbulb goes on.
That maybe explains why the number of attempts to exploit awstats on our server was over 20 a day last week, but is now down to less than 4 a day. Shadow effect?
Have to say I had to search out our busiest webserver logs to find any exploit attempts at all against awstats, my own personal webserver doesn't have any, in any of the sites hosted, not exactly "Code Red" proportions;)
Once any system is compromised, you have generally to assume that the attacker escalated their privileges using other exploits. If you had auditing enabled, you might be able to demonstrate that this did not happen, but if you had auditing enabled you probably reinstalled already!
The problem with these sorts of compromise, is in some shared hosting environments, where the end user could have installed vulnerable PHP. So doesn't really matter how good the admin, or OS is, unless the OS has specific facilities to mitigate this sort of attack.
I wouldn't take people seeing awstats attempts as proof of the worm, I've been seeing awstats exploit attempts for years, that is usually just run of the mill hacking attempts, semiautomated scanning, or earlier worms.
> From the programmer point of view it doesn't really matter. We seem to get paid the same whether our customer can make billions off of the bits we create, or only gets to charge a markup on our rate. Weird, huh?;-)
No that is just market forces, the people making billions off software have to pay a competitive salary compared to what you can charge for your own rate, otherwise no one would ever write software for them. Or did I get that back to front;)
Not just Linux, look at Microsoft, put a whole load of different GUIs on top of that NT kernel. Windows NT 3.51, Windows NT4, W2K, such terrible fragmentation. Then there are all those different releases of Windows, Media Edition, XP, Pocket, SBS, why don't they just do one that suits everyone?
And heck half the apps say "I can't be installed" under this version, but heck the kernel is pretty much the same so why not? And then there is "setup.exe" and "app.msi", can't they sort out one way of installing an application, preferably only bringing in the minimal dependencies, like Debian does as we can't all afford upteen gigabyte disk drives just to install MacOSX (especially in my Wireless router).
Everytime I get the hang of one way of finding my IP address Microsoft move it, and what's with the zillion different ways of resolving a name, and you can type "ipconfig/all" and still not see an IP address conflict in the network settings.
Now don't get me started on MacOS, oops doesn't seem to be available for my hardware, in fact they seem to have enough trouble getting the drivers right for the miniscule selection of supposedly supported graphics cards.....
'"why would I bother participating in this if I'm not being paid"? I think I hear Microsoft snickering.'
Not all/. readers have the same philosophy, and quite a few of them get paid to work on free software. Heck I fix bugs and make bug reports in the free software we use at work, at work, harder than twiddling my thumbs but I'm still getting paid for it.
And then there is the view, why should we test an antivirus system?
Rejecting Windows executable types (and.zip) in my free software MTA's MIME type filter with two regular expression get rids of all of them so far. One file with two regular expressions, or a whole proporietary antivirus suite with updates and all that to-do that is complex enough to need testing, hmm let me think which should I choose.
I mean why test something I have no need of, the only people who would benefit after all are those people in Redmond, or people using proprietary software (since none of the free software operating systems have a virus problem worth mentioning, although I'm told if you try hard enough with WINE...), the people selling the antivirus tool. Even.zip isn't exactly the archive format of choice in the free software world.
Now if there were GNU/Linux viruses in the wild, or spreading by email, then I might be tempted, but I'd probably just fix my email client, or operating system instead, life is simpler that way.
"the killers for me at least are Excel, Visio and Project"
I know, I'll never be able to migrate to Microsoft Windows till Microsoft Office can open OpenOffice document formats, Visio open Dia document formats etc.
And I struggle to find a decent Windows IMAP client.
I mean, if I have to stick with Thunderbird, OpenOffice I can't see the point of moving off Debian. You'd think Microsoft would fix these things, otherwise they'll never win back any of the market share they have lost.
If you have no pain with Windows, you'll never move, but don't start try to justify it to yourself, you did your job before Visio, and have no doubt learnt to cope with it's failings, and you'd do the same with any alternatives if you had reason to.
As a computer user who was developing software, it got very tedious reinstalling Windows once a month, because it couldn't cope with the idea people might want to "try" software, or install one or two packages.
Then when doing "security sensitive" work, I discovered that the Microsoft mail clients security settings were a complete fiction (at the time), and didn't actually do anything when you clicked them, that and lack of a decent OpenPGP plugin for the mail client I wanted to use, and the availability of various software packages in the Unix world that had never been ported to Windows, were enough pain to make me install Slackware on a spare machine.
Since then Microsoft have dealt with some of their worst issues, well it doesn't crash anywhere near as often as it use to, but they haven't really addressed any of the security issues in depth apart from some measures to try and minimise the impact of buffer overflows in some of their own applications.
Moving operating systems can be a lot of effort (actually it is getting your data out of proprietary formats, and applications, that causes the main pain, I suspect I could reinstall this machine as OpenBSD tomorrow and the main problem would be the odd application that needs recompiling), so people won't do it without good reasons. I suspect that it is rarely cost justified in the short term, as that pain is almost certainly more cost per user, than the extra costs in running Microsoft Windows and software.
It may be jusitified in the long run, like never being at the mercy of software vendors in need of a few more bucks to pay their staff (or bonuses), or never being stuck when recovering a server because you can't find, or it won't accept some obscure licence key, or having a problem that "needs" fixing, and knowing you can always hire someone to try.
'What? That's gibberish. What "large complex problems" are you talking about exactly?'
Stroustroup says "event driven simulations for which Simula67 would have been ideal..." (but for the performance), but heck, what does he know.
You can of course compile C++ into any Turing complete language, that doesn't necessarily mean it is a good idea, or that the other language is equivalent in terms of expressive power.
"Yes, we all realize that Linux has a more secure list of "safe" software and has a better software installation procedure (with its package managers only). That doesn't negate the fact that many people want to go outside of the box (and their sources list) and install new software that hasn't been whitelisted and packaged for their distro (yet or ever)"
If the software has never been packaged for the distro then it obviously will require recompiling and distro know-how. What Windows doesn't require this? Of course not Windows is effectively just one distro", but what do you do if your software hasn't been packaged for Windows? That the average GNU/Linux user has the tools and clue to cope with this situation doesn't mean that it is a prerequisite for using GNU/Linux distros.
Windows retains it's "just one distro" feel by trying to maintain backward compatibility with the older APIs, which is why you are recommended to switch 8.3 file name compatibility off in IIS to limit your chances of being owned by all the accumulated dross required to maintain such compatibility.
Installing software on some Linux distros is pretty much the same as Windows, except that you know it will work in a secure multi-user environments, and it'll come as a package in a well defined format, rather than as an.exe, a.zip or.msi, or some other random format the Windows developer in question thought was a good idea at the time.
You can't just say "Linux doesn't do this", by all means say "Debian stable with options X and Y" doesn't do this, but other distros default to having an installer run when you click a package file. Probably stupid, but they do it in the interests of allowing users to mess up more easily. People do all sorts of stupid things in pursuit of user friendliness, and as a result make the machines harder to understand, less secure, and make life harder for the end user. Don't get me started on distros that open "root shells" that don't require passwords.
How will you upgrade the software? These flashing icons when an app feels out of date are daft, first people ignore them, and second the software will be out of date when it isn't being used, welcome to "privilege escalation hell", it is like DLL hell, except your box is owned instead of unusuable at the end of it. Alternatively it could all phone home, and install it's own TSR to chew memory and try calling home at regular intervals, yeah neat.
The reason "free software" does this differently (not Linux), is we don't have that backward compatibility hell, if we need to change an app that uses some hideously outdated feature to make a more secure OS we change it, and tighten the OS, not make the OS bend over backwards for years and years.
As such the reason these discussions come back to security, is because how you install software cuts right at the heart of how you build and maintain secure computers, it is about knowing what code is where, who can run it, and making sure it is upto date.
When was the last time you saw a Linux box saying "Searching for code containing the GDI vulnerability" (and searching again when the patch is rereleased a few months later)".
Anyone asking why does program X that works for distro 1, does not also install and run in distro 2, should ask why don't I fit the exhaust for my Ford the same way into a Vauxhall, even if it is the same exhaust, there are different procedures to follow to ensure the component is properly fitted. Sure you can probably find an dodgy mechanic, who'll make a guess, and your car will run like a badly managed copy of Windows XP from then on.
Don't get me wrong I use one PC with a GNU/Linux distro, and a downloaded copy of Mozilla-Firefox, and Mozilla-thunderbird, rather than installed from packages. But that in because it is scheduled for replacing and it was a quick and dirty hack to save upgrading it to a supported version, as a result the software doesn't integrate as nicely with the desktop. But m
Fingerprinting none network devices is more challenging;)
> they picked Linux
I read the article as they picked Linux because they believed it would do the job, rather than any specific technical merit.
The licence stuff is at the end for those still following. One key point is of course the GPL exception for kernel modules in Linux, I suspect someone less familiar with Linux might not appreciate that they can have closed source kernel modules, although for anything but embedded devices it is probably a "bad idea", for the same reasons that Linux doesn't have a binary interface for these.
"but its less easy to determine how many routers, gateways, broadband modems, etc run *BSD"
My ADSL modem runs Linux. My MD's (different manufacturer) runs Linux My manager's runs Linux. The games adaptor for the wireless LAN runs Linux. All new, all bought in the last year. I don't watch enough TV to own a Tivo.
Indeed almost all the embedded network devices I've seen recently run Linux, if you'd like to start pointing at a few running a BSD variant I'm all ears.
It isn't always easy to determine, but for those with the geek credentials to care, well fingerprinting is a well established geeky thing to do.
Most of the devices I mentioned are MIPS based, on very small low power boards, and I don't think I've seen BSD running on this sort of very low end hardware. Sure there are high end firewalls running on BSD, but then some are running on GNU/Linux, and even some on NT.
But I think those who look at the issues carefully, realise that the licence is not the deciding factor. Because if they want to protect their source code with Linux, they can stick with closed modules, or applications.
I suspect some firewall vendors chose NetBSD because they thought it was a better OS to base a firewall on, and not because of its licence. I suspect Linux is now winning more converts because of the broad hardware support in the kernel, and the mini distros (Busybox and the like), and nothing to do with its licence.
"Half of the time, the question doesn't involve anything distro-specific (even apt-get, when talking about ubuntu vs. debian, is hardly distro specific), so anyone could answer the question for the most part."
Whilst I know what you are complaining about, my experience is the majority of such questions ARE about problems that simply don't happen if you run Debian, and stick to "testing" or "stable". "Release when ready" has its advantages.
Even questions about "apt" can have very different answers because the distros have very different release structures.
But it is all beside the point, even if the people in #debian know the answers, even if the problem happens to be the same across both distro, if they wanted to answer other peoples Ubuntu questions they would presumably also be in the Ubuntu channels.
Hey I don't do that messing around, although most of the boxes I admin only allow named accounts to ssh in, and most only from specific IP addresses.
But it does look like this box wasn't terribly important, nor attentively admin'ed, and there is nothing suggesting it wasn't owned due to use of weak passwords.
An IDS system might have spotted the scanning, or intrusion earlier, and mitigated the damage.
And before anyone say "OS/distro X doesn't allow weak passwords", I've never seen any admin with strong passwords, different on every machine, that didn't have them written down in a list that introduces different methods of attack, although I don't doubt there are a few around with very good memories.
Without more details this is a non-story blown out of proportion by typically accurate/. readers misrepresentations.
I remember my HP-UX enterprise servers that took 15 minutes to reboot. First they boot and run a full hardware diagnostic from firmware (displaying any faults on the LCD), and then if they can, they loaded the OS, and ran a full hardware diagnostic printing the results to the log files (for all those less critical errors like, half your disks are bust and one of your SCSI cables is disconnected).
15 minutes x 100 users, only about three working days lost per reboot during office hours.
Then again one year we didn't have to reboot it at all. But then I'm young and don't remember those mainframes with the tape loading OSes that took even longer, honest.
You're missing the one big advantage windows users have over Linux users - the massive user support base. If you have a problem with a windows based machine, you can usually google the problem and odds are someone has had the same issue and come up with a solution already. You can usually find a fix in a matter of seconds. With an obscure Linux distro
I see the problem here, "obscure Linux distro", RHEL is not obscure. I don't know how the relative figure go for Redhat and Gentoo, but Gentoo is well down below Redhat/SUSe/Debian/Ubuntu....
Also many of the Linux problems are common across distros, and even across operating systems.when dealing with 3rd party software like Oracle, or SAP, you'll often find someone has the same issue on another *nix platform, and they are sufficiently similar to have similar faults.
It isn't about the size of the userbase, it is about the cluefulness of the people, the tools they have to hand, and the consistency of the installed software.
Windows with its file level configuration management spawns a zillion different installations, where as a Debian or a Redhat OS install is going to be in a very small number of possible states.
The Linux userbase isn't short on clue, and everyone has most of the tools (including source code) to hand.
The bigger problem is "vendor clue", you can go to many PC companies, and buy preinstalled RHEL, but if you come back with a tricky problem you'll discover they have very small numbers of people with real Linux clue (often these people are focused on supplying drivers for there hardware and not dealing with more mundane issues), often relying on Redhat, or other vendors to provide support where absolutely needed. In many cases you get a quicker and better response going to appropriate forums, or to a third party (or Redhat direct) for support. If only to bypass that first line of helpdesk who are going "huh?".
I'm a *nix (FreeBSD & Solaris preferred, but Linux too) admin, but in this circumstance I would have switched to Windows too.
Obviously you're not a Windows 2003 admin, it is no where near "Enterprise Ready".
In such circumstances I'd probably have deployed a commercial Unix (Solaris?) if I could get a stable Linux box (unlikely), big SAP user base, cheap well tested hardware.
The description sounds like a hardware problem - they had it checked over - why didn't IBM just swap it out completely?
The other issue seems to boil down to SAP supporting automatic updates to Windows 2003, not to REL. But I don't see what the big issue would be in backing out a patch if SAP thought it might be the cause of a problem.
First thing SAP will do with W2K3 SP2 (or other Microsoft patch) breaks it, is say "back out SP2", and Microsoft are unlikely to be going to give you the option of backing out such big changes in a more gradual way.
Really sounds like they don't have a clue what they were doing.
Nethack diehards, sorry I meant the Hurd development team.
You can tell a lot about a community from the games that delay development.
Experience says you want code written by people who like Sokoban, but you are more likely to get code from people who prefer first person shooting games, I think it probably reflects different approaches to problem solving, and DEAD lines. Debian has tetrinet, competitive tidying up of walls, as more stuff falls from the sky, nuff said.
Slashdot Mirror
OpenOffice Base attempts to clone the Access experience whilst creating the stuff underneath in slightly more sensible formats.
Pig slow, and not Access, but it might suit some people trying to do this sort of thing. Certainly it isn't difficult, and probably requires less know-how than Access.
> Otherwise it will continue to stand to reason that sendmail has just as much place in a secure system today as Qmail.
Compare the security history since both qmail and postfix were released, lets choose January 2003, against sendmail.
CERT Vulnerability note search.
Sendmail 6 vulnerabilities including 4 buffer overflow vulnerabilities, at least one risks a remote root exploit, one was IBM specific and just silly IBM. Many prior ignored.
Postfix one DoS in 2003.
Qmail no hits.
Patching complex systems doesn't meaningfully reduce the number, or scope, of security holes in most cases, you need (re)engineering to do that, or at least rewriting problem areas from scratch. Software doesn't always age gracefully, as any programmer will tell you.
Given the much more extensive feature set of Postfix to Qmail, hey Qmail maybe quite secure, but it doesn't do very much, I choose Postfix. Sure Sendmail is improving, but they would have to release a whole new architecture to attract the security conscious system admins.
Indeed they have just announced a new sendmail with a security architecture that borrows heavily from the Postfix school of thought.
Don't get me wrong I'm just dismantling out last two sendmail servers, and they have done an okay job, but they required a lot more love and attention than Postfix would have to keep them going. Qmail is even easier if you only want what qmail does, otherwise it is patchomatic time, and I don't trust the qmail patches to be as secure as Dans code.
> Windows appears to beat linux on quite a few other tests (such as memory use of a 'hello world' program, the executable size, and even some of the 'cost of basic operations' tests)
The executable thing is a figment of comparing apples and oranges, the Unix code was statically linked, which is basically including all sorts of stuff that you wouldn't in the real world.
Good dynamic linking is something the Unix (and clones) have done for a while (read long before Windows even started on this route), and was why we could run fully featured, X Windows based, Office suites (and Window managers) for umpteen users simultaneously on 125MHz PA-RISC machines with 100 or so MB of memory, and still have memory spare. And you still see this edge if you compare terminal services like deployments.
The cost of operations is less on pretty much everything but thread stuff, but then the cost of creating a process is so low in Linux, threads are more of a convenience for programmers than a structural component, as others have discussed. Although I think there are advantages to good thread handling, cost of creation can usually be mitigated by maintaining pools of threads (as can the cost of process creation in Windows for certain tasks), certainly the typical environments where one uses threads for performance reasons (think Apache2).
The tests basically tell those who understand computers, that they understand them correctly. Windows is faster at creating threads, the Unix crowd is better at pretty much everything else. It is what you'd expect comparing server class OSes against a desktop system. No one really cares if XP can't fork a process efficiently, if you only run a new application every half an hour, but if you fork (or prefork) for every incoming email request, you better do it efficiently.
I don't quite follow the sequential I/O for small block sizes, the default blocksize in the Unix world for the traditional filesystems is typically 8Kb, and no one ever opts for smaller (well some of the new filesystems do), particularly if they expect a lot of sequential I/O when they opt for bigger, so faster sequential I/O for block sizes less than this is I suspect of no relevance in the real world. Probably just indicates code in the Unix systems that assumes a larger block size, and is thus redundant. Kind of like discovering that a human brick layer out performs your wall building machine, if you break all the brick in to pieces before you start, interesting, but mostly shows your wall building machine expected bricks to be, well, brick sized.
> You'd also think a high-level executive would be aware of what OS's are shipping and which are not.
;)
. html
Maybe SAP management don't know the difference between beta and release, it would explain a lot about SAP
I'm intrigued how an "innovative" desktop would be copying another, this must be some corporate definition of "innovative".
Of the more widely used desktops I've used, I think KDE has the most innovative things going on, MacOSX is still driving ease of use (good on em'), and GNOME seems to be heading in a similar direction. But I'm sure there are less well known desktops out there doing even more radical things.
Innovation doesn't usually happen at the center. People want Microsoft to do more of the same for their business desktop, I mean a radically simplified, network integrated, and more secure desktop for Windows Vista would go down like a brick if it didn't run 90%+ of existing Windows applications, even if it did fantastically novel things. Cue the HAL9000 upgrade sketch. http://paul.merton.ox.ac.uk/computing/hal-upgrade
> There are lots of alternatives to the Linksys routers.
I'd caution people, some of the WRT45Gs idea of "supported" may not be everyones idea of 'ease of use'.
However I'm fairly sure my last try failed because I was a trying stuff a bit beyond what was officially supported, thanks to some random patches, and I hadn't any experience of the hardware except for breaking it with a firmware upload, and finding the support people had no idea what "the original firmware" might mean as a phrase (how can people write that much source code and not type their email address in it somewhere ?!).
Halving the memory isn't an issue, WRT54G already support 2MB Flash, 8MB RAM from other routers and earlier model, it is presumably getting the code bootstrapped in the first place that creates the challenge.
I'd have thought there must be a bulk market for the Linksys WRT54G, with modified firmware, I'm surprised Linksys isn't chasing it. My Linksys router is running Linux, but it is running the stuff Linksys shipped which is adequate for the moment, I don't think I want to try figuring out ADSL support in Linux on non-x86 hardware this week.
"..I can only judge the company as a whole.."
You need some more doublethink for living on corporate earth.
I mean I struggle with the ethical consumer bit.
Kraft are currently being sued for spamming over the Gevalia marketing. Despite the legal denials, I doubt any other company was behind paying for such huge spam runs, so buying the wrong type of cheese snack, or savoury biscuit is supporting spamming, and I don't (knowingly) buy from thieves, and spammers.
Coca Cola on the other hand were criticised for being less than helpful when some of their managers (in the strange world of franchising, and deals that constitutes multinational business) were accused of using murder to control union issue. Which is no doubt why Googling for "Coca Cola Colombia" gets "cocacola.com.co" as only the second hit.
Now Monsanto's business ethics got to the point its own shareholders asked for an Ethical Oversite committee (although it could be the legal actions were beginning to hurt the shareholders pockets).
Now if you wander into a big supermarket, and look around, and buy only those products made by a company whose ethics are sound in every division, you'll probably go home empty handed, or nearly so. You'll almost certainly struggle to get a balanced diet.
The modern corporate world comes largely in shades of grey, even those who promise to "do no evil" seem to after they have been floated on the stock market, argh I used that earlier in writing this response.
I guess one could grow your own food, and drink rain water, but then have I always lived up to my own ethical standards....
> the vast majority of sites use name-based virtual hosting, and this worm just uses the IP address
;)
Ah lightbulb goes on.
That maybe explains why the number of attempts to exploit awstats on our server was over 20 a day last week, but is now down to less than 4 a day. Shadow effect?
Have to say I had to search out our busiest webserver logs to find any exploit attempts at all against awstats, my own personal webserver doesn't have any, in any of the sites hosted, not exactly "Code Red" proportions
It is called privilege escalation.
Once any system is compromised, you have generally to assume that the attacker escalated their privileges using other exploits. If you had auditing enabled, you might be able to demonstrate that this did not happen, but if you had auditing enabled you probably reinstalled already!
The problem with these sorts of compromise, is in some shared hosting environments, where the end user could have installed vulnerable PHP. So doesn't really matter how good the admin, or OS is, unless the OS has specific facilities to mitigate this sort of attack.
I wouldn't take people seeing awstats attempts as proof of the worm, I've been seeing awstats exploit attempts for years, that is usually just run of the mill hacking attempts, semiautomated scanning, or earlier worms.
> From the programmer point of view it doesn't really matter. We seem to get paid the same whether our customer can make billions off of the bits we create, or only gets to charge a markup on our rate. Weird, huh? ;-)
;)
No that is just market forces, the people making billions off software have to pay a competitive salary compared to what you can charge for your own rate, otherwise no one would ever write software for them. Or did I get that back to front
> Medical information is available for free, too, so why bother going to the doctor?
The doctors (in most countries) have a monopoly on the right to prescribe effective medications.
So whilst I think you are right it is perhaps a bad example.
Curiously my doctor would be happy to compete in a more open medicines market, as they say "there is always room at the top".
Not just Linux, look at Microsoft, put a whole load of different GUIs on top of that NT kernel. Windows NT 3.51, Windows NT4, W2K, such terrible fragmentation. Then there are all those different releases of Windows, Media Edition, XP, Pocket, SBS, why don't they just do one that suits everyone?
/all" and still not see an IP address conflict in the network settings.
And heck half the apps say "I can't be installed" under this version, but heck the kernel is pretty much the same so why not? And then there is "setup.exe" and "app.msi", can't they sort out one way of installing an application, preferably only bringing in the minimal dependencies, like Debian does as we can't all afford upteen gigabyte disk drives just to install MacOSX (especially in my Wireless router).
Everytime I get the hang of one way of finding my IP address Microsoft move it, and what's with the zillion different ways of resolving a name, and you can type "ipconfig
Now don't get me started on MacOS, oops doesn't seem to be available for my hardware, in fact they seem to have enough trouble getting the drivers right for the miniscule selection of supposedly supported graphics cards.....
Next week we compare Apples, to Tangerines.
> I need to be able to share documents with people all around the world, and I have to run what they run.
;)
Sounds ideal reason to use Free Software, rather than force everyone to part with big cash to Microsoft.
And yes I have a copy of Visio 2000 SE on the shelf behind me, nothing to run it on any more though
'"why would I bother participating in this if I'm not being paid"? I think I hear Microsoft snickering.'
/. readers have the same philosophy, and quite a few of them get paid to work on free software. Heck I fix bugs and make bug reports in the free software we use at work, at work, harder than twiddling my thumbs but I'm still getting paid for it.
.zip) in my free software MTA's MIME type filter with two regular expression get rids of all of them so far. One file with two regular expressions, or a whole proporietary antivirus suite with updates and all that to-do that is complex enough to need testing, hmm let me think which should I choose.
.zip isn't exactly the archive format of choice in the free software world.
Not all
And then there is the view, why should we test an antivirus system?
Rejecting Windows executable types (and
I mean why test something I have no need of, the only people who would benefit after all are those people in Redmond, or people using proprietary software (since none of the free software operating systems have a virus problem worth mentioning, although I'm told if you try hard enough with WINE...), the people selling the antivirus tool. Even
Now if there were GNU/Linux viruses in the wild, or spreading by email, then I might be tempted, but I'd probably just fix my email client, or operating system instead, life is simpler that way.
"the killers for me at least are Excel, Visio and Project"
I know, I'll never be able to migrate to Microsoft Windows till Microsoft Office can open OpenOffice document formats, Visio open Dia document formats etc.
And I struggle to find a decent Windows IMAP client.
I mean, if I have to stick with Thunderbird, OpenOffice I can't see the point of moving off Debian. You'd think Microsoft would fix these things, otherwise they'll never win back any of the market share they have lost.
If you have no pain with Windows, you'll never move, but don't start try to justify it to yourself, you did your job before Visio, and have no doubt learnt to cope with it's failings, and you'd do the same with any alternatives if you had reason to.
As a computer user who was developing software, it got very tedious reinstalling Windows once a month, because it couldn't cope with the idea people might want to "try" software, or install one or two packages.
Then when doing "security sensitive" work, I discovered that the Microsoft mail clients security settings were a complete fiction (at the time), and didn't actually do anything when you clicked them, that and lack of a decent OpenPGP plugin for the mail client I wanted to use, and the availability of various software packages in the Unix world that had never been ported to Windows, were enough pain to make me install Slackware on a spare machine.
Since then Microsoft have dealt with some of their worst issues, well it doesn't crash anywhere near as often as it use to, but they haven't really addressed any of the security issues in depth apart from some measures to try and minimise the impact of buffer overflows in some of their own applications.
Moving operating systems can be a lot of effort (actually it is getting your data out of proprietary formats, and applications, that causes the main pain, I suspect I could reinstall this machine as OpenBSD tomorrow and the main problem would be the odd application that needs recompiling), so people won't do it without good reasons. I suspect that it is rarely cost justified in the short term, as that pain is almost certainly more cost per user, than the extra costs in running Microsoft Windows and software.
It may be jusitified in the long run, like never being at the mercy of software vendors in need of a few more bucks to pay their staff (or bonuses), or never being stuck when recovering a server because you can't find, or it won't accept some obscure licence key, or having a problem that "needs" fixing, and knowing you can always hire someone to try.
'What? That's gibberish. What "large complex problems" are you talking about exactly?'
Stroustroup says "event driven simulations for which Simula67 would have been ideal..." (but for the performance), but heck, what does he know.
You can of course compile C++ into any Turing complete language, that doesn't necessarily mean it is a good idea, or that the other language is equivalent in terms of expressive power.
"Yes, we all realize that Linux has a more secure list of "safe" software and has a better software installation procedure (with its package managers only). That doesn't negate the fact that many people want to go outside of the box (and their sources list) and install new software that hasn't been whitelisted and packaged for their distro (yet or ever)"
.exe, a .zip or .msi, or some other random format the Windows developer in question thought was a good idea at the time.
If the software has never been packaged for the distro then it obviously will require recompiling and distro know-how. What Windows doesn't require this? Of course not Windows is effectively just one distro", but what do you do if your software hasn't been packaged for Windows? That the average GNU/Linux user has the tools and clue to cope with this situation doesn't mean that it is a prerequisite for using GNU/Linux distros.
Windows retains it's "just one distro" feel by trying to maintain backward compatibility with the older APIs, which is why you are recommended to switch 8.3 file name compatibility off in IIS to limit your chances of being owned by all the accumulated dross required to maintain such compatibility.
Installing software on some Linux distros is pretty much the same as Windows, except that you know it will work in a secure multi-user environments, and it'll come as a package in a well defined format, rather than as an
You can't just say "Linux doesn't do this", by all means say "Debian stable with options X and Y" doesn't do this, but other distros default to having an installer run when you click a package file. Probably stupid, but they do it in the interests of allowing users to mess up more easily. People do all sorts of stupid things in pursuit of user friendliness, and as a result make the machines harder to understand, less secure, and make life harder for the end user. Don't get me started on distros that open "root shells" that don't require passwords.
How will you upgrade the software? These flashing icons when an app feels out of date are daft, first people ignore them, and second the software will be out of date when it isn't being used, welcome to "privilege escalation hell", it is like DLL hell, except your box is owned instead of unusuable at the end of it. Alternatively it could all phone home, and install it's own TSR to chew memory and try calling home at regular intervals, yeah neat.
The reason "free software" does this differently (not Linux), is we don't have that backward compatibility hell, if we need to change an app that uses some hideously outdated feature to make a more secure OS we change it, and tighten the OS, not make the OS bend over backwards for years and years.
As such the reason these discussions come back to security, is because how you install software cuts right at the heart of how you build and maintain secure computers, it is about knowing what code is where, who can run it, and making sure it is upto date.
When was the last time you saw a Linux box saying "Searching for code containing the GDI vulnerability" (and searching again when the patch is rereleased a few months later)".
Anyone asking why does program X that works for distro 1, does not also install and run in distro 2, should ask why don't I fit the exhaust for my Ford the same way into a Vauxhall, even if it is the same exhaust, there are different procedures to follow to ensure the component is properly fitted. Sure you can probably find an dodgy mechanic, who'll make a guess, and your car will run like a badly managed copy of Windows XP from then on.
Don't get me wrong I use one PC with a GNU/Linux distro, and a downloaded copy of Mozilla-Firefox, and Mozilla-thunderbird, rather than installed from packages. But that in because it is scheduled for replacing and it was a quick and dirty hack to save upgrading it to a supported version, as a result the software doesn't integrate as nicely with the desktop. But m
Rumours of a plan to hire key GNU/Linux people and get them doing other stuff, sounds more like a Microsoft scheme to undermine Gentoo.
Answering support calls, not even Microsoft would sink that low.
> Ricoh copiers run NetBSD.
;)
Fingerprinting none network devices is more challenging
> they picked Linux
I read the article as they picked Linux because they believed it would do the job, rather than any specific technical merit.
The licence stuff is at the end for those still following. One key point is of course the GPL exception for kernel modules in Linux, I suspect someone less familiar with Linux might not appreciate that they can have closed source kernel modules, although for anything but embedded devices it is probably a "bad idea", for the same reasons that Linux doesn't have a binary interface for these.
"but its less easy to determine how many routers, gateways, broadband modems, etc run *BSD"
My ADSL modem runs Linux.
My MD's (different manufacturer) runs Linux
My manager's runs Linux.
The games adaptor for the wireless LAN runs Linux.
All new, all bought in the last year. I don't watch enough TV to own a Tivo.
Indeed almost all the embedded network devices I've seen recently run Linux, if you'd like to start pointing at a few running a BSD variant I'm all ears.
It isn't always easy to determine, but for those with the geek credentials to care, well fingerprinting is a well established geeky thing to do.
Most of the devices I mentioned are MIPS based, on very small low power boards, and I don't think I've seen BSD running on this sort of very low end hardware. Sure there are high end firewalls running on BSD, but then some are running on GNU/Linux, and even some on NT.
But I think those who look at the issues carefully, realise that the licence is not the deciding factor. Because if they want to protect their source code with Linux, they can stick with closed modules, or applications.
I suspect some firewall vendors chose NetBSD because they thought it was a better OS to base a firewall on, and not because of its licence. I suspect Linux is now winning more converts because of the broad hardware support in the kernel, and the mini distros (Busybox and the like), and nothing to do with its licence.
"Half of the time, the question doesn't involve anything distro-specific (even apt-get, when talking about ubuntu vs. debian, is hardly distro specific), so anyone could answer the question for the most part."
Whilst I know what you are complaining about, my experience is the majority of such questions ARE about problems that simply don't happen if you run Debian, and stick to "testing" or "stable". "Release when ready" has its advantages.
Even questions about "apt" can have very different answers because the distros have very different release structures.
But it is all beside the point, even if the people in #debian know the answers, even if the problem happens to be the same across both distro, if they wanted to answer other peoples Ubuntu questions they would presumably also be in the Ubuntu channels.
Hey I don't do that messing around, although most of the boxes I admin only allow named accounts to ssh in, and most only from specific IP addresses.
/. readers misrepresentations.
But it does look like this box wasn't terribly important, nor attentively admin'ed, and there is nothing suggesting it wasn't owned due to use of weak passwords.
An IDS system might have spotted the scanning, or intrusion earlier, and mitigated the damage.
And before anyone say "OS/distro X doesn't allow weak passwords", I've never seen any admin with strong passwords, different on every machine, that didn't have them written down in a list that introduces different methods of attack, although I don't doubt there are a few around with very good memories.
Without more details this is a non-story blown out of proportion by typically accurate
I remember my HP-UX enterprise servers that took 15 minutes to reboot. First they boot and run a full hardware diagnostic from firmware (displaying any faults on the LCD), and then if they can, they loaded the OS, and ran a full hardware diagnostic printing the results to the log files (for all those less critical errors like, half your disks are bust and one of your SCSI cables is disconnected).
15 minutes x 100 users, only about three working days lost per reboot during office hours.
Then again one year we didn't have to reboot it at all. But then I'm young and don't remember those mainframes with the tape loading OSes that took even longer, honest.
I see the problem here, "obscure Linux distro", RHEL is not obscure. I don't know how the relative figure go for Redhat and Gentoo, but Gentoo is well down below Redhat/SUSe/Debian/Ubuntu....
Also many of the Linux problems are common across distros, and even across operating systems
It isn't about the size of the userbase, it is about the cluefulness of the people, the tools they have to hand, and the consistency of the installed software.
Windows with its file level configuration management spawns a zillion different installations, where as a Debian or a Redhat OS install is going to be in a very small number of possible states.
The Linux userbase isn't short on clue, and everyone has most of the tools (including source code) to hand.
The bigger problem is "vendor clue", you can go to many PC companies, and buy preinstalled RHEL, but if you come back with a tricky problem you'll discover they have very small numbers of people with real Linux clue (often these people are focused on supplying drivers for there hardware and not dealing with more mundane issues), often relying on Redhat, or other vendors to provide support where absolutely needed. In many cases you get a quicker and better response going to appropriate forums, or to a third party (or Redhat direct) for support. If only to bypass that first line of helpdesk who are going "huh?".
Obviously you're not a Windows 2003 admin, it is no where near "Enterprise Ready".
In such circumstances I'd probably have deployed a commercial Unix (Solaris?) if I could get a stable Linux box (unlikely), big SAP user base, cheap well tested hardware.
The description sounds like a hardware problem - they had it checked over - why didn't IBM just swap it out completely?
The other issue seems to boil down to SAP supporting automatic updates to Windows 2003, not to REL. But I don't see what the big issue would be in backing out a patch if SAP thought it might be the cause of a problem.
First thing SAP will do with W2K3 SP2 (or other Microsoft patch) breaks it, is say "back out SP2", and Microsoft are unlikely to be going to give you the option of backing out such big changes in a more gradual way.
Really sounds like they don't have a clue what they were doing.
Nethack diehards, sorry I meant the Hurd development team.
You can tell a lot about a community from the games that delay development.
Experience says you want code written by people who like Sokoban, but you are more likely to get code from people who prefer first person shooting games, I think it probably reflects different approaches to problem solving, and DEAD lines. Debian has tetrinet, competitive tidying up of walls, as more stuff falls from the sky, nuff said.