I get the impression (only from the/. blurb so far) that this hole is, by orders of magnitude, more serious than anything reported for Mac OS X previously.
There have been many, many, many holes that have come out against web browsers that allow local access with the level of access of the client given a malicious page. It was a bit worse during the heady days of the "web browser wars" when features were coming out every day, but it's certainly nothing particularly unheard of to have an attack against a web browser of this sort. The reason they weren't catastrophic is because the worst attacks present were generally not that awful. Sure, maybe a couple of web forums don't filter HTML well, and a couple people get nailed, but there's nothing like a huge worm hitting everyone regardless of machine use. Heck, KHTML has had exploitable holes before, which means Safari would be vulnerable.
Most "vulnerabilites" previously reported for Mac OS X have been largely theoretical, obscure, and hardly any real threat (at least, when compared to the pretty high threshold of threat before anyting is considered a "flaw" in the Windows world).
Don't misunderstand, more serious stuff than this is pretty much standard fare for Windows (and sometimes on UNIX/Linux to, cf. "wu-ftpd", "bind", and "sendmail") - but for the Mac OS X platform, a flaw as "exploitable" as this is pretty unique.
Err -- OS X isn't going to be better off than UNIX/Linux, as it's open to almost all attacks that those platforms are. If FreeBSD can get nailed via sendmail, so can OS X. Those other *IX platforms have been around for more years, so they have a larger security history. This is the kind of misleading credit that OS X gets that's a bit frusterating to me, since it really does not help folks make intelligent decisions.
'Course, if will probably be taken care of within a few days via "software update", if not already.
Yes -- this is exactly why I didn't think it was worth a story. There will be a few people compromised, but not a huge number, since most people aren't going to visit a page that can be maliciously altered in a couple of days, and Apple will push out an update in short order.
Anything that can be used by a worm and can be firewalled off is cause for concern -- getting the message out ASAP is priority. Any attack where malicious code can "push" itself is very bad. Attacks where malicious code can only be "pulled" in...just not such a big deal to have an issue like that for a few days.
While I agree that abbreviated "Internet words" have gone over the top, I do think that personal publishing has had a significant impact on the Web and will continue to do so. It's far easier to get linked to than to get something you say included in, say, the WSJ, so it does distribute the influence of mass media to a far greater degree than has ever happened before.
Holy cow, I didn't know you were still in Pittsburgh, Jason -- I wondered when I saw your domain name. Cool.
The common reaction I got was when should I blog? And another responce was that they didn't want people to know what they were doing.
Yup.
If people say "there is problem X", it's just something for their managers to start bothering them about. If people keep saying "everything is fine" and work on resolving things without ever letting out that there is a hangup, they get less pressure from above.
Also, people may use this informally and not put the effort into a plog that they would a press release -- but it's easy to snag stuff from a plog.
I'm all for calling Apple out on security violations when they deserve it (especially since there have been some awfully generous and inaccurate security claims about Mac OS X), but if there was a Slashdot story for every exploit against a web browser, we'd be reading nothing else.
If it was exploitable and used in an *email* client (a la Outlook using the MSIE rendering engine), *then* I could see some serious cause for concern, as the worm potential is severe.
However, this is ultimately a client-level attack that requires the user to pull down malicious data. It just isn't a big deal.
Uh...while a lot of this is true (and some is clearly stuff that folks are justified in being suspicious of but will never, ever be able to prove), there are some awfully bizarre claims here, and plenty of speculation.
- Fraud: False claims, planted by partners like Toqueville.
You have no knowledge that this particular instance was instigated by Microsoft. Microsoft has *definitely* paid off "independent researchers" to come up with misleading studies in the past, but this is not in the least unusual for large companies in the technology industry, much as I hate to say it.
- Legal Attacks: Microsoft funded the SCO attack.
This is certainly worth looking into, but it's not as cut-and-dry as you're making out.
- Secret Hardware Protocols: Working with partners like NVidia (closed source drivers), ATI (closed source drivers), and AMD (the unpublished memory-access fix).
Microsoft has not, to the best of my knowledge, conducted a "secret hardware" campaign or anything of the sort. A lot of the industry is (unfortunately) secretive for competitive reasons -- that doesn't mean that Microsoft is behind it, or even actively encouraging it.
- Locking-in Linux: Working with partners like NVidia and ATI (closed source drivers), possibly Trolltech (the proprietary version of Qt, Qt support for.Net), possibly CodeWeavers (promoting MS Office on Linux, and ActiveX on the Internet), possibly Xandros and a couple of other Linux distributers (proprietary Linux admin tools, Qt-only desktop environment, promoting MS Office on Linux, etc.), possibly Macromedia (Flash), and who knows who else.
Absurd. This isn't even remotely plausible. You have no evidence to back this up, numerous statements to the contrary from reputable people (if you think that Miguel de Izca is lying and secretly being paid off by Microsoft for doing Mono, and that TrollTech is in bed with Microsoft (instead of the much more obvious just trying to make a buck on their products)) you're loony.
- Infiltration: MS plants joining Open Source projects to cause interference, wearing out the leaders through constant complaining, driving away other developers by acting like jerks, pushing the project in bad directions, etc.
Sorry. People are jerks on their own. Microsoft may do this in the future on strategically valuable projects (it's clearly a viable and legal strategy), but I doubt it.
- Infiltration: MS plants joining Open Source projects and pretending to be die-hard supporters, then pushing for overly-tight licensing, convincing others to add special restrictions that limit the software's use (possible examples: DotGNU, XFree86), using LGPL for what should be BSD (CodeWeaver's Wine), using GPL for what should be LGPL (MySQL), and so on.
[Laughs] If Stallman and friends, with their pro-GPL rhetoric, are Microsoft shills, they could just revise the GPL. That's absurd.
The most egregious things that we know happened that I think I'd highlight would be:
* Netscape's server compatibility and attacks on the client by servicing MSIE clients first. These are clear, true cases of anticompetitive behavior.
* Microsoft deliberately monkeying around with DR-DOS compatibility in their applications.
* Microsoft working hard to keep protocols and formats closed and avoiding third-party compatibility to promote lock-in. Not that unusual for the technology industry, sad to say. The Kerberos SMB stuff was a good example.
* Driver signing -- the claim that it's "for security" or "reliability" is as ridiculous as the claims of DRM being "to promote end-user security against malware", and everyone involved is quite aware of the fact. It's to give Microsoft a powerful club.
* OEM pressure. Bundling, doing Windows only, etc.
* Using Office support as a club against Apple.
* Microsoft attempts to make Java Windows-specific have not, as far as I know, been demostrated clearly enough for a court to decide against them, but I'd say that most folks can comfortably say that Microsoft had malicious intent.
* Anti-GPL propaganda and misinformation. It's not as if many GPL fans don't do the same to Microsoft, mind you.
Oh, now Bell Labs was in the habit of hiring young Finnish geeks (no doubt using their large Finnish presence) to write homebrew terminal emulators? Riiiight.
More to the point, Microsoft-owned XENIX and COMMAND.COM are clearly derivative of AT&T's work.
I'm not so sure that this is such a big Microsoft PR move as it is an attempt by someone to write a controversial book to get sales.
Frankly, I've found that open-source people tend to be significantly *more* respectful of licenses than closed-source people (especially since all their actions can be viewed by the entire world, and there's less temptation to "try to get away with something" in the short term).
I'd be much more likely to bet that a typical open source project has a legally clean codebase than a typical closed source project.
There has already been research on partially "anonymizing" eigenface data to the point where it is useful but does not provide 24/7-everywhere-people-go tracking.
If some users on the system are in the habit of running several heavyweight processes, and others only tend to run lightweight ones, then the processing in that manner cn be distributed around the network.
Mmm...yes, theoretically, but a desktop system is pretty powerful these days -- the draw isn't what it once was. You have to have a process that is so heavy that the user wants to put it on another system, not heavy enough that it has its own custom distributed system (like a raytracer or custom scientific computation system), and you have to work to avoid processes that depend on each other winding up on different nodes.
You can also transparently implement a system whereby you have mostly dumb terminals, and a few high-powered servers located in a sound-proofed, air conditioned room. You should also be able to add servers easily to this system.
Yeah, but there are an awful lot of ways to pull this off without using a full-blown distributed system. A nameserver with lightestloaded.foobar.edu, for instance.
Spelling creat with a "e":-)
Hey, some of us get RSI! Seriously, I guess if I had a single irritation on this level, I'd like to see "less" renamed to something a bit more newbie-friendly.
Linux is really just a kernel. You can stick whatever init system you want on top of it. Redhat seem to use a bastard hybrid of sysV and BSD. I can't comment on any other distros.
Sure, but other than Slack, I don't think any mainstream distros use non-SysV.
Not quite sure what you mean here. If you create an encrypted loopback, then all file encryption becomes completely transparent on that filingsystem.
Windows encryption -- check "encrypted" box on directory/file property tab.
Linux encryption -- not supported with end-user-friendly interface on most boxes, where "pretty end user interface is present, support for mounting my home directory unencrypted at login time is present, no standard way for user to specify what things he'd like encrypted/unencrypted -- you'd need to hack some sort of suid filesystem creation utility up". Since support is at the block device level rather than the filesystem level, mixing encrypted and unencrypted files is a PITA. Not a standard *IX-wide way to do this.
There's a few features I'd like to see. One is a KDE-style IO slaves. This could be done at the libc level. In essence, it would recognise URLs, and use a program to open the URL and shove it's output in to a file descriptor for the program.
Mmm. One problem is that this breaks long-standing guarantees about the format of UNIX paths, which means that a number of programs would break.
FUSE (kinda like LUFS, if you're more familiar with that project) provides KDE IOSlave support at mount time, just not open time.
Wrong. Linux is only a kernel and it doesn't have any kind of init system. You can tell linux to use whatever executable you have on your machine (like init=/bin/bash) if you are talking about GNU/Linux then say so.
If it offends your sensibilities, please feel free to use s/Linux/Most Linux distributions/. For brevity, readability, and because most folks know what I'm talking about, I frequently make this shortening. Given that the initscripts I run on my system are SysV init but not a GNU project, it hardly seems fair to give GNU the credit for them.
Distributed operating systems are cool -- to do research on. However, they suffer from some serious real-world-usage problems. Unless you really know what you're doing and frequently are writing the application you plan to use, you don't "magically get lots more speed" because most tasks that people want to do just don't parallelize all that well (and even if they do, take more work to parallelize). There are only a couple of non-unique software systems that *really* parallelize really, really well. Raytracing is one. The problem is that these systems are so few and far between that it's often better to just write application-specific distributed code rather than trying to write a general distributed OS that gives less good performance. There's often a fair amount of overhead involved in distributing an OS, so the vast majority of common tasks run with overhead they they wouldn't need to on a traditional OS.
*IX is pretty good. There aren't a whole lot of obvious changes I'd like to see. Hmm...if I could make changes:
* Standard home directory structure redone. I wrote a detailed proposal on Slashdot for this that allows a standard mechanism for dropping off files, having public files without exposing the contents of one's home directory, and not having config files litering ones home directory.
* ACLs being standardized (and ideally used minimally or not at all on vanilla boxes). ACLs are terribly useful for end users, as it's much easier to do many tasks (and you can do things that you can't do with the standard *IX permission scheme). Minimal use is important to keep things easy to audit.
* Linux has a fully-ordered init system rather than a partially-ordered init system. This is not that great from a performance and usability perspective. Partial orderings allow a full ordering to be forced, if necessary. However, full orderings prevent clever things being done like getting the desktop up as quickly as possible on a desktop-based system, but the nfs server up as quickly as possible on a fileserver.
* *IX lacks a standard utility that can escape all non-line-terminators. This is terribly important for dealing with files with spaces and parens and things in their name. I have a replacement awk script called "myxargs" that does this and lets me do all the standard *IX file operations easily without having my stuff barf on files named using Windows conventions.
* *IX does not have a standard set of features -- and on Linux, no easily-end-user-available features at all for transparent file encryption. Windows does. This is an embarassment.
* Chroot is very cool, but also overkill for a lot of things. I'd like to see a support for a standard Linux restricted/proc, so that things can be sandboxed without being able to see everything else running on the system (and so that users can't see what other users are running -- this has traditionally been a bit of a nasty security hole, where newbies write scripts that take passwords or other critical data as a command line argument).
* I've always wondered why network interfaces (at least under Linux, not sure if this is the same under other OSes) are not files like almost everything else in the UNIX world.
* *IX lacks a good, common secure, easy to set up a distributed filesystem. It would be really nice if AFS was a piece of cake to set up, supported large files out of box, and was present on all *IX systems. If it could serve the role that SMB/CIFS does in the Windows world (Joe User can easily make a share), but with better performance and security, and the ability to easily distribute, we'd definitely be going somewhere.
* *IX lacks a good, common, secure, easy to set up messaging client. Talk was absolutely wonderful back in the day, but firewalls and other nastiness have made it very uncommon. This is not just for desktop systems -- messaging can be a CLI application for troubleshooting and the like. I'd personally hope that such a system be able to do end-to-end encryption.
Re:15 Minutes Over in 3...2...1
on
Groklaw Turns One
·
· Score: 2, Insightful
That is an interesting site you have there, with some interesting ideas. Among other things:
* I think that the idea of tags is a Good Thing on Slashdot. This allows people to tag things as being under a particular variety, and people to score based on tags however they desire. It does make the default values assigned to tags extremely powerful, though -- many people will moderate things that are not true "offtopic" in lieu of "troll" or "flamebait" or whatever, since they just think "I've knocked it down by a point".
* I think that the idea of point-oriented moderation tags (underrated/overrated) is a poor idea. On Slashdot, such moderations are immune to metamoderation (why?) and it means that people must "choose the point value" of something. I may not care about "offtopic", and want to see it, but if a comment is tagged "overrated" I have zero information to make a decision based on -- how do I know why the comment is overrated and whether I might want to read it?
* I'd like to see a wider point spread than the -1 to +5 of Slashdot. That made sense back when there were fewer users, and +5s were rare and exceptional. Now, I post +5s every day or so, and frequently see +5s that aren't that great. Clearly, the moderation data has become saturated.
* I think that the idea of no negative moderation (kuro5hin) is a good idea. Here's the problem. It is very easy to post lots of negative posts. Slashdot makes some attempt to avoid negative moderation -- limiting the number of posts/IP/day, and tempbanning people that post too many things that are modded down -- but ultimately, when you allow anonymous users, it's hard to do anything about this. Usually, there are a relatively small number of useful posts. It's better to mod those up than to let trolls force one to blow an arbitrary amount of points on negative mods. (An alternative would be to have a number of points reserved for "positive mods")
* Slashdot sorts posts forward chronologically by default for new users and for unregistered users. This is a terrible default. It means that the ever-abusable First Posts have value, it means that the least informed posts are generally the first thing that new users see (rather than the later posts from people that have both read the story and considered many other posts as well), and it means that the comments that are read on a story are unevenly read.
* One idea might be the loss of moderator anonymity. Clearly, wars could be started by people starting to regularly mod each others' posts down, so there is a serious potential for problems. However, there are major advantages. First, I suddenly have the option to weight moderation of my friends more highly (and my enemies less highly). Second, it's possible for the forum to suggest friends/enemies from people that moderate very similarly or differently from my own moderations -- in general, if I mod down flamebait, I'd like people who mod it up to have less influence on what I see.
If VA Software goes out of business...
on
Groklaw Turns One
·
· Score: 4, Insightful
If VA Software (once known as VA Linux) goes out of business, there will be severe repercussions in the open source world. (I think that this is unlikely, but they might be pared down.)
VA Software owns OSDN, the collection of Slashdot, Newsforge, Freshmeat, Geocrawler, and Sourceforge and some other major OSS sites (I consider the above five to be the most critical). In most cases, if VA Software goes under, it's probable that VA will have to do what it can to sell off assets and data (rather than freely releasing them) to either return to profitability or pay off creditors.
Let's look at a couple of these:
* Newsforge. Without doing research, I'm guessing that Newsforge is not self-sustaining, and would probably have difficulty being very profitable, thus it probably could not be spun off. I don't think Newsforge has significant assets in the form of IP. On the other hand, Newsforge is a fairly biased, propagandaish news source that doesn't attract a lot of mainstream attention. The loss of Newsforge probably wouldn't do too much damage to the OSS world.
* Slashdot. Slashdot can probably (perhaps given some tweaks) be self-sustaining. There are a lot of things that can be done (like ad banners and subsucriptions, as is now the case) that would probably let Slashdot keep itself afloat without drastically changing the way Slashdot works or damaging userbase size, and a number of somewhat more intrusive things that could be done that would allow Slashdot to still remain a major tech forum. Slashdot is somewhat replaceable (especially since Slashcode is open) but it would take a long time to produce such a valuable database and user base -- and given the value of these, Slashdot could probably be sold to a number of organizations. Slashdot's comment database is enormously valuable, and may rival USENET for data on a number of tech issues. Its loss would be damaging.
Slashdot is frequently biased and sometimes inaccurate, but it has a significant degree of clout. Mainstream news sources definitely go over Slashdot to identify interesting tech topics. Slashdot is an important place to get people upset about or make them aware of things relevant to the open source world -- it is probably currently the single most important such forum. It helps produce rapid community response to issues -- there have been a number of times that (major) changes have been made (vendors making statements on Linux support, people finding alternative hosting to keep important resources alive, etc) after Slashdot highlights points. It is a significant political mobilizer, and assists other mobilizers -- it is unlikely that nearly so many people would frequent Groklaw without the attention Slashdot gave it. In general, Slashdot significantly improves communication, open source visibility, reduces response time, and facilitates the spread of memes in the open source community. I would consider it to be extremely important, and the loss of it a major setback.
* Freshmeat. Freshmeat is a major resource for *IX software. There is no other database that is nearly as comprehensive or helps get the word out about important updates. Google can replace some of Freshmeat's features (the ability to locate a project homepage is somewhat less useful that it used to be). However, while Freshmeat does not provide updated competitive reviews of software projects, it is *the* single place to go when one wants to find a list of potential *IX applications to solve a problem. This has significant trickedown effect to even end users -- if one works at Red Hat and is trying to find a good CLI FTP client to bundle with Red Hat, Freshmeat is where to start looking for one. Freshmeat can probably maintain itself, especially as it may have lower resource usage than Slashdot. Freshmeat is probably the primary location to spread warnings about an intentionally malicious application (such as one that adds backdoors to a system) since many people will see Freshmeat comments when doing initial-evaluation of soft
Re:not accessible from China?
on
Groklaw Turns One
·
· Score: 3, Insightful
I suspect that potential penalties (even if actual risk is low) of intentional violations of China's censorship policy may be quite nasty.
Re:15 Minutes Over in 3...2...1
on
Groklaw Turns One
·
· Score: 5, Insightful
Mmmm...I agree that PJ has become less objective than she was a year ago, when I considered her to be *very* scrupulously objective. She has become "part of the community", and it's hard to remain utterly cold when you're in such a position. She's also put up more "what if" conspiracy type thoughts herself. They may be perfectly valid, but I do think Groklaw is less valuable for it -- it was once somewhere that you could just aim PHB types -- even if the comments could be a bit out there, PJ's articles were strictly down-to-earth analysis. Even if ESR's Halloween memos and theories are perfectly well-founded (and some of them are almost certainly pretty accurate), they're tough to sell to someone who isn't part of the Linux world and has kind of vaguely always trusted Microsoft.
I don't see the problem you do with the "FUD insurance" (though the conflict of interest is obvious) because PJ has done an admirable job of tamping down fear of legal violations. She is clearly in an abusable position; I have not seen anything that I would call abuse, though.
I agree that Groklaw could use a bit less of the anti-SCO humor and Darl-namecalling from posters -- that's really better placed on Slashdot, with it's stronger moderation system.
I also am interested as to whether PJ will begin to wind down Groklaw (as was my original impression) as SCO sputters down, or (as I'm starting to think) she will keep it alive as a forum to discuss Linux legal issues. It is clearly valuable to her employer, as she speaks with some authority on Linux legal issues.
If he moves Google from the US to the Netherlands, yes.
Actually, basing Internet companies in the Netherlands seems to make an awful lot of sense. It's a first-world country, they have relatively permissive laws, and a dense population. Since you're right in the middle of Europe, bandwidth isn't expensive. If you can operate your company anywhere in the world (as is quite possible for a.com), it would seem like countries will start needing to compete for companies.
Not sure how nasty business taxes are, and there's obviously a host of other variables involved, but...
The problem is in the precedent it sets. Once the public gets used to cellphone "dead zones", people will start using jammers in other areas for other reasons. How about at a movie theatre or concert? A fancy restaurant?
I don't think that cell phones are likely to be a significant cause for or against saving lives. They probably cause more traffic accidents, probably tend to improve emergency response time (exception -- way out in the wilderness, a cell phone, satellite phone, or radio is almost certainly statistically beneficial, since the noise pollution isn't an issue and the potential time benefits to emergencies are extreme).
They have real world conveniences (you can sync up with friends easily) and irritations (you have to listen to someone behind you jabbering away).
Slashdot Mirror
I can't understand how making and distributing custom Windows CDs doesn't violate copyright and Microsoft EULAs.
I get the impression (only from the /. blurb so far) that this hole is, by orders of magnitude, more serious than anything reported for Mac OS X previously.
There have been many, many, many holes that have come out against web browsers that allow local access with the level of access of the client given a malicious page. It was a bit worse during the heady days of the "web browser wars" when features were coming out every day, but it's certainly nothing particularly unheard of to have an attack against a web browser of this sort. The reason they weren't catastrophic is because the worst attacks present were generally not that awful. Sure, maybe a couple of web forums don't filter HTML well, and a couple people get nailed, but there's nothing like a huge worm hitting everyone regardless of machine use. Heck, KHTML has had exploitable holes before, which means Safari would be vulnerable.
Most "vulnerabilites" previously reported for Mac OS X have been largely theoretical, obscure, and hardly any real threat (at least, when compared to the pretty high threshold of threat before anyting is considered a "flaw" in the Windows world).
Don't misunderstand, more serious stuff than this is pretty much standard fare for Windows (and sometimes on UNIX/Linux to, cf. "wu-ftpd", "bind", and "sendmail") - but for the Mac OS X platform, a flaw as "exploitable" as this is pretty unique.
Err -- OS X isn't going to be better off than UNIX/Linux, as it's open to almost all attacks that those platforms are. If FreeBSD can get nailed via sendmail, so can OS X. Those other *IX platforms have been around for more years, so they have a larger security history. This is the kind of misleading credit that OS X gets that's a bit frusterating to me, since it really does not help folks make intelligent decisions.
'Course, if will probably be taken care of within a few days via "software update", if not already.
Yes -- this is exactly why I didn't think it was worth a story. There will be a few people compromised, but not a huge number, since most people aren't going to visit a page that can be maliciously altered in a couple of days, and Apple will push out an update in short order.
Anything that can be used by a worm and can be firewalled off is cause for concern -- getting the message out ASAP is priority. Any attack where malicious code can "push" itself is very bad. Attacks where malicious code can only be "pulled" in...just not such a big deal to have an issue like that for a few days.
While I agree that abbreviated "Internet words" have gone over the top, I do think that personal publishing has had a significant impact on the Web and will continue to do so. It's far easier to get linked to than to get something you say included in, say, the WSJ, so it does distribute the influence of mass media to a far greater degree than has ever happened before.
Holy cow, I didn't know you were still in Pittsburgh, Jason -- I wondered when I saw your domain name. Cool.
Everyone wants to say "you know, *I* coined ". The Internet provides fertile ground for taking this into overdrive.
Damned if I know why -- it's not as if it's some kind of impressive contribution to mankind or very difficult to coin a word, but...
The common reaction I got was when should I blog? And another responce was that they didn't want people to know what they were doing.
Yup.
If people say "there is problem X", it's just something for their managers to start bothering them about. If people keep saying "everything is fine" and work on resolving things without ever letting out that there is a hangup, they get less pressure from above.
Also, people may use this informally and not put the effort into a plog that they would a press release -- but it's easy to snag stuff from a plog.
I'm all for calling Apple out on security violations when they deserve it (especially since there have been some awfully generous and inaccurate security claims about Mac OS X), but if there was a Slashdot story for every exploit against a web browser, we'd be reading nothing else.
If it was exploitable and used in an *email* client (a la Outlook using the MSIE rendering engine), *then* I could see some serious cause for concern, as the worm potential is severe.
However, this is ultimately a client-level attack that requires the user to pull down malicious data. It just isn't a big deal.
Uh...while a lot of this is true (and some is clearly stuff that folks are justified in being suspicious of but will never, ever be able to prove), there are some awfully bizarre claims here, and plenty of speculation.
.Net), possibly CodeWeavers (promoting MS Office on Linux, and ActiveX on the Internet), possibly Xandros and a couple of other Linux distributers (proprietary Linux admin tools, Qt-only desktop environment, promoting MS Office on Linux, etc.), possibly Macromedia (Flash), and who knows who else.
- Fraud: False claims, planted by partners like Toqueville.
You have no knowledge that this particular instance was instigated by Microsoft. Microsoft has *definitely* paid off "independent researchers" to come up with misleading studies in the past, but this is not in the least unusual for large companies in the technology industry, much as I hate to say it.
- Legal Attacks: Microsoft funded the SCO attack.
This is certainly worth looking into, but it's not as cut-and-dry as you're making out.
- Secret Hardware Protocols: Working with partners like NVidia (closed source drivers), ATI (closed source drivers), and AMD (the unpublished memory-access fix).
Microsoft has not, to the best of my knowledge, conducted a "secret hardware" campaign or anything of the sort. A lot of the industry is (unfortunately) secretive for competitive reasons -- that doesn't mean that Microsoft is behind it, or even actively encouraging it.
- Locking-in Linux: Working with partners like NVidia and ATI (closed source drivers), possibly Trolltech (the proprietary version of Qt, Qt support for
Absurd. This isn't even remotely plausible. You have no evidence to back this up, numerous statements to the contrary from reputable people (if you think that Miguel de Izca is lying and secretly being paid off by Microsoft for doing Mono, and that TrollTech is in bed with Microsoft (instead of the much more obvious just trying to make a buck on their products)) you're loony.
- Infiltration: MS plants joining Open Source projects to cause interference, wearing out the leaders through constant complaining, driving away other developers by acting like jerks, pushing the project in bad directions, etc.
Sorry. People are jerks on their own. Microsoft may do this in the future on strategically valuable projects (it's clearly a viable and legal strategy), but I doubt it.
- Infiltration: MS plants joining Open Source projects and pretending to be die-hard supporters, then pushing for overly-tight licensing, convincing others to add special restrictions that limit the software's use (possible examples: DotGNU, XFree86), using LGPL for what should be BSD (CodeWeaver's Wine), using GPL for what should be LGPL (MySQL), and so on.
[Laughs] If Stallman and friends, with their pro-GPL rhetoric, are Microsoft shills, they could just revise the GPL. That's absurd.
The most egregious things that we know happened that I think I'd highlight would be:
* Netscape's server compatibility and attacks on the client by servicing MSIE clients first. These are clear, true cases of anticompetitive behavior.
* Microsoft deliberately monkeying around with DR-DOS compatibility in their applications.
* Microsoft working hard to keep protocols and formats closed and avoiding third-party compatibility to promote lock-in. Not that unusual for the technology industry, sad to say. The Kerberos SMB stuff was a good example.
* Driver signing -- the claim that it's "for security" or "reliability" is as ridiculous as the claims of DRM being "to promote end-user security against malware", and everyone involved is quite aware of the fact. It's to give Microsoft a powerful club.
* OEM pressure. Bundling, doing Windows only, etc.
* Using Office support as a club against Apple.
* Microsoft attempts to make Java Windows-specific have not, as far as I know, been demostrated clearly enough for a court to decide against them, but I'd say that most folks can comfortably say that Microsoft had malicious intent.
* Anti-GPL propaganda and misinformation. It's not as if many GPL fans don't do the same to Microsoft, mind you.
Oh, now Bell Labs was in the habit of hiring young Finnish geeks (no doubt using their large Finnish presence) to write homebrew terminal emulators? Riiiight.
Bell Labs gets no credit for this one.
More to the point, Microsoft-owned XENIX and COMMAND.COM are clearly derivative of AT&T's work.
I'm not so sure that this is such a big Microsoft PR move as it is an attempt by someone to write a controversial book to get sales.
Frankly, I've found that open-source people tend to be significantly *more* respectful of licenses than closed-source people (especially since all their actions can be viewed by the entire world, and there's less temptation to "try to get away with something" in the short term).
I'd be much more likely to bet that a typical open source project has a legally clean codebase than a typical closed source project.
There has already been research on partially "anonymizing" eigenface data to the point where it is useful but does not provide 24/7-everywhere-people-go tracking.
If some users on the system are in the habit of running several heavyweight processes, and others only tend to run lightweight ones, then the processing in that manner cn be distributed around the network.
:-)
Mmm...yes, theoretically, but a desktop system is pretty powerful these days -- the draw isn't what it once was. You have to have a process that is so heavy that the user wants to put it on another system, not heavy enough that it has its own custom distributed system (like a raytracer or custom scientific computation system), and you have to work to avoid processes that depend on each other winding up on different nodes.
You can also transparently implement a system whereby you have mostly dumb terminals, and a few high-powered servers located in a sound-proofed, air conditioned room. You should also be able to add servers easily to this system.
Yeah, but there are an awful lot of ways to pull this off without using a full-blown distributed system. A nameserver with lightestloaded.foobar.edu, for instance.
Spelling creat with a "e"
Hey, some of us get RSI! Seriously, I guess if I had a single irritation on this level, I'd like to see "less" renamed to something a bit more newbie-friendly.
Linux is really just a kernel. You can stick whatever init system you want on top of it. Redhat seem to use a bastard hybrid of sysV and BSD. I can't comment on any other distros.
Sure, but other than Slack, I don't think any mainstream distros use non-SysV.
Not quite sure what you mean here. If you create an encrypted loopback, then all file encryption becomes completely transparent on that filingsystem.
Windows encryption -- check "encrypted" box on directory/file property tab.
Linux encryption -- not supported with end-user-friendly interface on most boxes, where "pretty end user interface is present, support for mounting my home directory unencrypted at login time is present, no standard way for user to specify what things he'd like encrypted/unencrypted -- you'd need to hack some sort of suid filesystem creation utility up". Since support is at the block device level rather than the filesystem level, mixing encrypted and unencrypted files is a PITA. Not a standard *IX-wide way to do this.
There's a few features I'd like to see. One is a KDE-style IO slaves. This could be done at the libc level. In essence, it would recognise URLs, and use a program to open the URL and shove it's output in to a file descriptor for the program.
Mmm. One problem is that this breaks long-standing guarantees about the format of UNIX paths, which means that a number of programs would break.
FUSE (kinda like LUFS, if you're more familiar with that project) provides KDE IOSlave support at mount time, just not open time.
I've just reposted it to my journal.
Dunno if "detailed proposal" is fair, though, in retrospect, but it's more than just a vague idea.
Wrong. Linux is only a kernel and it doesn't have any kind of init system. You can tell linux to use whatever executable you have on your machine (like init=/bin/bash) if you are talking about GNU/Linux then say so.
If it offends your sensibilities, please feel free to use s/Linux/Most Linux distributions/. For brevity, readability, and because most folks know what I'm talking about, I frequently make this shortening. Given that the initscripts I run on my system are SysV init but not a GNU project, it hardly seems fair to give GNU the credit for them.
A better UNIX, though, sounds like a nice idea.
/proc, so that things can be sandboxed without being able to see everything else running on the system (and so that users can't see what other users are running -- this has traditionally been a bit of a nasty security hole, where newbies write scripts that take passwords or other critical data as a command line argument).
Not that this is bad, but it isn't just "UNIX++".
Distributed operating systems are cool -- to do research on. However, they suffer from some serious real-world-usage problems. Unless you really know what you're doing and frequently are writing the application you plan to use, you don't "magically get lots more speed" because most tasks that people want to do just don't parallelize all that well (and even if they do, take more work to parallelize). There are only a couple of non-unique software systems that *really* parallelize really, really well. Raytracing is one. The problem is that these systems are so few and far between that it's often better to just write application-specific distributed code rather than trying to write a general distributed OS that gives less good performance. There's often a fair amount of overhead involved in distributing an OS, so the vast majority of common tasks run with overhead they they wouldn't need to on a traditional OS.
*IX is pretty good. There aren't a whole lot of obvious changes I'd like to see. Hmm...if I could make changes:
* Standard home directory structure redone. I wrote a detailed proposal on Slashdot for this that allows a standard mechanism for dropping off files, having public files without exposing the contents of one's home directory, and not having config files litering ones home directory.
* ACLs being standardized (and ideally used minimally or not at all on vanilla boxes). ACLs are terribly useful for end users, as it's much easier to do many tasks (and you can do things that you can't do with the standard *IX permission scheme). Minimal use is important to keep things easy to audit.
* Linux has a fully-ordered init system rather than a partially-ordered init system. This is not that great from a performance and usability perspective. Partial orderings allow a full ordering to be forced, if necessary. However, full orderings prevent clever things being done like getting the desktop up as quickly as possible on a desktop-based system, but the nfs server up as quickly as possible on a fileserver.
* *IX lacks a standard utility that can escape all non-line-terminators. This is terribly important for dealing with files with spaces and parens and things in their name. I have a replacement awk script called "myxargs" that does this and lets me do all the standard *IX file operations easily without having my stuff barf on files named using Windows conventions.
* *IX does not have a standard set of features -- and on Linux, no easily-end-user-available features at all for transparent file encryption. Windows does. This is an embarassment.
* Chroot is very cool, but also overkill for a lot of things. I'd like to see a support for a standard Linux restricted
* I've always wondered why network interfaces (at least under Linux, not sure if this is the same under other OSes) are not files like almost everything else in the UNIX world.
* *IX lacks a good, common secure, easy to set up a distributed filesystem. It would be really nice if AFS was a piece of cake to set up, supported large files out of box, and was present on all *IX systems. If it could serve the role that SMB/CIFS does in the Windows world (Joe User can easily make a share), but with better performance and security, and the ability to easily distribute, we'd definitely be going somewhere.
* *IX lacks a good, common, secure, easy to set up messaging client. Talk was absolutely wonderful back in the day, but firewalls and other nastiness have made it very uncommon. This is not just for desktop systems -- messaging can be a CLI application for troubleshooting and the like. I'd personally hope that such a system be able to do end-to-end encryption.
That is an interesting site you have there, with some interesting ideas. Among other things:
* I think that the idea of tags is a Good Thing on Slashdot. This allows people to tag things as being under a particular variety, and people to score based on tags however they desire. It does make the default values assigned to tags extremely powerful, though -- many people will moderate things that are not true "offtopic" in lieu of "troll" or "flamebait" or whatever, since they just think "I've knocked it down by a point".
* I think that the idea of point-oriented moderation tags (underrated/overrated) is a poor idea. On Slashdot, such moderations are immune to metamoderation (why?) and it means that people must "choose the point value" of something. I may not care about "offtopic", and want to see it, but if a comment is tagged "overrated" I have zero information to make a decision based on -- how do I know why the comment is overrated and whether I might want to read it?
* I'd like to see a wider point spread than the -1 to +5 of Slashdot. That made sense back when there were fewer users, and +5s were rare and exceptional. Now, I post +5s every day or so, and frequently see +5s that aren't that great. Clearly, the moderation data has become saturated.
* I think that the idea of no negative moderation (kuro5hin) is a good idea. Here's the problem. It is very easy to post lots of negative posts. Slashdot makes some attempt to avoid negative moderation -- limiting the number of posts/IP/day, and tempbanning people that post too many things that are modded down -- but ultimately, when you allow anonymous users, it's hard to do anything about this. Usually, there are a relatively small number of useful posts. It's better to mod those up than to let trolls force one to blow an arbitrary amount of points on negative mods. (An alternative would be to have a number of points reserved for "positive mods")
* Slashdot sorts posts forward chronologically by default for new users and for unregistered users. This is a terrible default. It means that the ever-abusable First Posts have value, it means that the least informed posts are generally the first thing that new users see (rather than the later posts from people that have both read the story and considered many other posts as well), and it means that the comments that are read on a story are unevenly read.
* One idea might be the loss of moderator anonymity. Clearly, wars could be started by people starting to regularly mod each others' posts down, so there is a serious potential for problems. However, there are major advantages. First, I suddenly have the option to weight moderation of my friends more highly (and my enemies less highly). Second, it's possible for the forum to suggest friends/enemies from people that moderate very similarly or differently from my own moderations -- in general, if I mod down flamebait, I'd like people who mod it up to have less influence on what I see.
If VA Software (once known as VA Linux) goes out of business, there will be severe repercussions in the open source world. (I think that this is unlikely, but they might be pared down.)
VA Software owns OSDN, the collection of Slashdot, Newsforge, Freshmeat, Geocrawler, and Sourceforge and some other major OSS sites (I consider the above five to be the most critical). In most cases, if VA Software goes under, it's probable that VA will have to do what it can to sell off assets and data (rather than freely releasing them) to either return to profitability or pay off creditors.
Let's look at a couple of these:
* Newsforge. Without doing research, I'm guessing that Newsforge is not self-sustaining, and would probably have difficulty being very profitable, thus it probably could not be spun off. I don't think Newsforge has significant assets in the form of IP. On the other hand, Newsforge is a fairly biased, propagandaish news source that doesn't attract a lot of mainstream attention. The loss of Newsforge probably wouldn't do too much damage to the OSS world.
* Slashdot. Slashdot can probably (perhaps given some tweaks) be self-sustaining. There are a lot of things that can be done (like ad banners and subsucriptions, as is now the case) that would probably let Slashdot keep itself afloat without drastically changing the way Slashdot works or damaging userbase size, and a number of somewhat more intrusive things that could be done that would allow Slashdot to still remain a major tech forum. Slashdot is somewhat replaceable (especially since Slashcode is open) but it would take a long time to produce such a valuable database and user base -- and given the value of these, Slashdot could probably be sold to a number of organizations. Slashdot's comment database is enormously valuable, and may rival USENET for data on a number of tech issues. Its loss would be damaging.
Slashdot is frequently biased and sometimes inaccurate, but it has a significant degree of clout. Mainstream news sources definitely go over Slashdot to identify interesting tech topics. Slashdot is an important place to get people upset about or make them aware of things relevant to the open source world -- it is probably currently the single most important such forum. It helps produce rapid community response to issues -- there have been a number of times that (major) changes have been made (vendors making statements on Linux support, people finding alternative hosting to keep important resources alive, etc) after Slashdot highlights points. It is a significant political mobilizer, and assists other mobilizers -- it is unlikely that nearly so many people would frequent Groklaw without the attention Slashdot gave it. In general, Slashdot significantly improves communication, open source visibility, reduces response time, and facilitates the spread of memes in the open source community. I would consider it to be extremely important, and the loss of it a major setback.
* Freshmeat. Freshmeat is a major resource for *IX software. There is no other database that is nearly as comprehensive or helps get the word out about important updates. Google can replace some of Freshmeat's features (the ability to locate a project homepage is somewhat less useful that it used to be). However, while Freshmeat does not provide updated competitive reviews of software projects, it is *the* single place to go when one wants to find a list of potential *IX applications to solve a problem. This has significant trickedown effect to even end users -- if one works at Red Hat and is trying to find a good CLI FTP client to bundle with Red Hat, Freshmeat is where to start looking for one. Freshmeat can probably maintain itself, especially as it may have lower resource usage than Slashdot. Freshmeat is probably the primary location to spread warnings about an intentionally malicious application (such as one that adds backdoors to a system) since many people will see Freshmeat comments when doing initial-evaluation of soft
I suspect that potential penalties (even if actual risk is low) of intentional violations of China's censorship policy may be quite nasty.
Mmmm...I agree that PJ has become less objective than she was a year ago, when I considered her to be *very* scrupulously objective. She has become "part of the community", and it's hard to remain utterly cold when you're in such a position. She's also put up more "what if" conspiracy type thoughts herself. They may be perfectly valid, but I do think Groklaw is less valuable for it -- it was once somewhere that you could just aim PHB types -- even if the comments could be a bit out there, PJ's articles were strictly down-to-earth analysis. Even if ESR's Halloween memos and theories are perfectly well-founded (and some of them are almost certainly pretty accurate), they're tough to sell to someone who isn't part of the Linux world and has kind of vaguely always trusted Microsoft.
I don't see the problem you do with the "FUD insurance" (though the conflict of interest is obvious) because PJ has done an admirable job of tamping down fear of legal violations. She is clearly in an abusable position; I have not seen anything that I would call abuse, though.
I agree that Groklaw could use a bit less of the anti-SCO humor and Darl-namecalling from posters -- that's really better placed on Slashdot, with it's stronger moderation system.
I also am interested as to whether PJ will begin to wind down Groklaw (as was my original impression) as SCO sputters down, or (as I'm starting to think) she will keep it alive as a forum to discuss Linux legal issues. It is clearly valuable to her employer, as she speaks with some authority on Linux legal issues.
Our Harlem lost the extra A when it filled up with negroes who can't read or write.
Not the case, unless you consider 1600s Brits particularly black.
If he moves Google from the US to the Netherlands, yes.
.com), it would seem like countries will start needing to compete for companies.
Actually, basing Internet companies in the Netherlands seems to make an awful lot of sense. It's a first-world country, they have relatively permissive laws, and a dense population. Since you're right in the middle of Europe, bandwidth isn't expensive. If you can operate your company anywhere in the world (as is quite possible for a
Not sure how nasty business taxes are, and there's obviously a host of other variables involved, but...
They should have only run the jammer during school hours.
So are services that merely provide indexing and contact data for other systems legal under Dutch law?
Napster, for one? Sharereactor, etc?
Why do cell phone companies even sell cell phones with audible ringers?
The problem is in the precedent it sets. Once the public gets used to cellphone "dead zones", people will start using jammers in other areas for other reasons. How about at a movie theatre or concert? A fancy restaurant?
Some of us see that as a benefit.
I don't think that cell phones are likely to be a significant cause for or against saving lives. They probably cause more traffic accidents, probably tend to improve emergency response time (exception -- way out in the wilderness, a cell phone, satellite phone, or radio is almost certainly statistically beneficial, since the noise pollution isn't an issue and the potential time benefits to emergencies are extreme).
They have real world conveniences (you can sync up with friends easily) and irritations (you have to listen to someone behind you jabbering away).