This company really ought to think their strategy. The distro market is pretty competitive right now, and 59.95 is a hell of a lot of money to spend on a free OS.
I don't think that selling boxed copies in stores is Red Hat's primary motivation. I think their going after the enterprise. That's why they want to sell subscriptions at $30/mo/machine. You buy, or download, one copy of RH and install it on as many machines as you want. But if you want enterprise level support to keep those machines "up2date" then you can pay the monthly fee.
If you're big enough, you can buy the soon to be released "Red Hat Network in a Box" where you can run you're own completely autonomous Red Hat Network w/in your own corporation. (Info from a Red Hat guy who recently visited our LUG.)
Box sales in stores is likely to always be part of their market. But IMHO, it's not their primary target.
When you can use debian;)
seriously apt-get your life:)
I use debian. I love apt. But I'm considering moving some of the machines I support to red hat. For $5/mo/machine, it is really nice to have a single place where I can check on the status of packages and patches for every machine I manage. I don't know of a way to do this (currently) in debian.
Of course, I imagine it's only a matter of time before someone writes a post-install plugin to apt that will allow for an installation update to be written to a db or web page. So it's not inconceivable that debian gets a similar feature. But for now it doesn't exist, and it makes red hat very attractive for managing a non-small numbers of linux boxen.
The point that you apear to be determined to miss is that a firewall does not and cannot provide a meaningful control against the attack you describe.
I haven't missed that point. You're correct, of course. And by no means did I mean to give you the impression that I think JAVA doing this makes it any better. As you say, it's just as susceptible to the kind of attack I describe. It does have one advantage though, and that is that it runs in a sandbox, which limits the exposure of the risks.
SOAP, otoh, does not. Which means that the exposure of JAVA is determined by what can be accessed in the sandbox. The exposure to SOAP is determined by what can be accessed by SOAP... which is basically everything on the PC and everything behind the firewall.
IMHO, MS should choose either not to run SOAP over HTTP, and let administrators *easily* filter it, or run it in a sandbox. Either works for me. Until then, Schneier is 100% correct. SOAP is a serious security problem.
It does not do that today and it will not tommorow, whether SOAP runs over port 80 or no.
Of course, it's impossible to prevent someone who has access both inside and outside of the firewall from bypassing it if that person is determined to do so. But that doesn't mean that it's a good idea to deploy something to 90%+ of the world's computers that will enable anyone to do that, whether they intend to or not.
I wrote the security profile for HTTP
Congratulations.
Downloading active code on a user's browser, sandbox or no is a much riskier proposition than a SOAP call.
I certainly agree that downloading active code is a dramatically risky proposition. But having SOAP around makes that downloaded code even *more* risky.
Creating a systematic mechinism to render a firewall, with all of its limitations, to nothing more than a router, and then deploying that to nearly every computer on the planet... you consider this a good thing? A single SOAP call may not be risky, but the implication of deploying this thing on the global state of security can't be benign.
Sorry, but all things considered I still disagree with your conclusions.
Which is why I am not impressed by the argument you make. Forget port 80 by the way, if you use SSL you prevent the firewall having any interaction! Do the initial SSL handshake then once you turn on encryption switch to using IP in IP encapsulation.
But it doesn't use SSL. httptunnel is not using the CONNECT proxy directive (which enables SSL connections through a proxy). It's using HTTP GET and HTTP POST, and that's it. To the proxy it looks like plain old HTTP. There's no SSL in it. SSHv1 yes, but not SSL. If you're unconvinced, thinking that ssh necessarily means that it's SSL, not a problem. It works with rsh, too.
The attack you describe would require collusion between the sender and the receiver. So if SOAP ran over a SOAP specific port there would be nothing to prevent the sender and receiver colluding to layer it over HTTP on port 80.
The attack that I describe does require that the sender and receiver be coordinated. However (and please correct me if I'm wrong) isn't SOAP's purpose to enable communication between a server and a.NET app? If so, it would seem to me that the.NET app (running on the inside of the firewall) and the server (running on the outside of the firewall) are certainly coordinated. And most likely, the.NET app that is inside your network got downloaded from the server that you're trying to connect to!
Firewalls do not present a barrier to an attacker who has already penetrated a network. At best they provide a hinderance. The value of a firewall is preventing the initial attack.
This is, of course, entirely true, but it misses the point. The point of the demonstration is that any time you allow arbitrary bi-directional traffic, the payload of that traffic can be used to encapsulate a point to point IP link. The problem with SOAP is that it creates an architecture for doing just that, and it's going to be released on an OS that enjoys 90%+ market share, and has an application barrier to entry.
The only prudent response to this is to block all SOAP Content-Type's at the firewall unless it's to a trusted source. And of course, this is exactly the point that Schneier is trying to make: SOAP is a security problem.
SOAP traffic is actually quite easy to detect in HTTP, just examine the Content-Type field.
Then you say:
Actually selling firewalls is a large part of my business.
So, in order to filter SOAP we need to get a firewall with significantly more horsepower in order to examine the Content-Type field... and you sell firewalls.
How convenient.
You also say
However the issue you raise does not actually arise since a firewall should not be accepting incomming HTTP requests to the internal network in the first place
That is irrelevant. If you allow arbitrary outgoing requests, and their replies, then it's trivial to encapsulate an incoming request in the replies. Witness httptunnel
which can be used to setup outgoing SSH connections, which in turn can be used with PPP over SSH to establish the entire IP protocol... INBOUND... All of this over port 80. Think this can't be done? Well I'm an IT auditor, whose opinions you seem to eschew. I've done it (in the lab, of course.)
All things considered, I disagree with your conclusions.
From the gentoo article, I found the following very interesting:
Yesterday, Rik van Riel, William Lee Irwin and myself were able to discuss this issue of Athlon/AGP instability with AMD....
...But now that the problem is out in the open, the solution is clear. The Linux kernel's approach to memory management must become more sophisticated in order to address potential conflicts between the highly-speculative nature of Athlon processors and the non-cache-coherent AGP GART.
When Linus switched to the AA VM, I got the impression that one of the key differences between the AA VM and the RvR VM is that Rik's VM is much more flexible, but with that flexibility comes complexity, which is why Linus switched to AA's VM. AA's was much simpler to understand and helped to stabalize the VM problems. Does the above quote mean that the AA VM isn't going to be able to handle the requirements to fix this bug? Is this a plug to put back RvR's VM?
I'm not trying to start a flame war here, just want to understand if I understood what the final paragraph was saying. Please mod me down if I'm way off base, but help me understand too!
Whoops! It looks like you weren't responding to my post, but to someone elses. I didn't see that there was one stuck in there. Sorry for the harsh words. Thought you were talkin' to me.
Move along folks. Nothing to see here. Just some idiot trying to gobble some crow. Go back to your homes.
I can't believe I'm falling into answering this, but what application do you need that you don't have?
Perhaps you misunderstood my post. I use free software right now for just about everything. At work this isn't true, but on my own time and my own computers I use free software (in the RMS sense of the word) whenever I can. I do this because right now, the free software is better. There is some sense of using it because it's also morally correct, but that's not the primary driver. I use it because it's better. But I've bought non-free games. Why? Because they're better.
If a non-free OS comes along that is better than what I'm currently using (Debian GNU/Linux) then I'll use it. By better, I mean that it does a better job of meeting my needs. I'm quite happy with free software right nowN (except for games) so I use it.
Wow! Not only did I get dragged in by a troll (intended or not)
I don't think my post was a troll. I said that free software, right now is better than non-free software. So the fact that I'm trying to meet my needs as best suits me, and the possibility that non-free software might meet my needs better, that makes my post a troll?
I hope that you don't really believe that. Because then you're saying that free software is not really free. It's an edict. More than that, it's an edict that's above reproach. I'm not allowed to even think that non-free software might meet my needs more than anything in the free software world?
If microsoft can, by some complex reorganization of their development and review process, make their code have the same, or less, incidence of critical issue as, say, Linux... What would we do?
Declare victory. I think Linus once said, "If Microsoft starts producing good software, we've won."
Personally, I think this is the goal: to get good software. I enjoy the fact that currently the best software around doesn't cost me any money to obtain. But I'm not going to maintain some sort of religious fanatacism about it. If better software comes along that costs money, I'll buy it.
How many of you play only free games on your computers? Me either. I play Q3A or SimCity. I paid for them. Why? Because they're better than the free stuff. I'll pay for an OS too, if it's better than the free stuff.
Check out
this reader comment from the January cryptogram. He's talking about liability as a tool for accountability and how that relates to insurance costs, and says, "Insurance costs are directly related to reliability. Show that your software is reliable before you release it, then your liability exposure is diminished." And hence, your accountability is diminished.
This guy is right on the money. Making security a priority can only be accomplished through making good design and good code a priority. And those won't be a priority unless there's some sort of pressure for it. Lowering insurance costs is one pressure. Positive PR is another. But more powerful than both of those is the pressure to keep customers from switching to a viable competitor.
And this, I think is exactly the thing we need: a viable competitor to Microsoft. Microsoft, of course, doesn't want this. Interestingly enough, this will also help deal with Rep. Rick Boucher's
recent thoughts on the prevention of cyberterrorism. With all due respect to the many good ideas that Rep. Boucher has made, when he suggested enforcing product liability requirements on software producers, he assumed that was the only way to get better software. But it's not. Competition will be much more effective. "When Microsoft starts creating good software, we've won." - Linus Torvalds. Unfortunately, not only is Boucher's suggestion not as effective as competition, it's got a really nasty side effect: it would effectively kill the only potential competitor to Microsoft on the horizon: open source & free software.
Competition will breed better software. If a competitive market place still produces unsafe products (as was the case with the automobile manufacturers of the '60s) then perhaps new laws make sense.
The point is that the solution to both problems ("cyber-terrorism" and software security) is competition. If the government is going to do anything, let's encourage them to do something that opens up competition to the MS juggernaut. There currently is none, so make laws that produce competition. If, and only if, that doesn't work, then think about other ways to enforce accountability - like product liability for software producers. But don't put the cart before the horse.
I would like to start seeing *.lsb.rpm soon, guaranteed to work on all lsb-compliant distributions. As long as they are competently created they should be debianizable through alien.
Amen, brother! Score:+1,Insightful (virtual moderator point for you!)
How would a simple email with a link encouraging employees to vote be different than a presidential candidate sending an e-mail out telling everyone register for their party or even go an vote? Sure, there's an obvious bias, but what makes you think that *anyone* is voting that doesn't have a bias?
Becuase it's a poll. When someone reads that 74% of poll respondants think blah, they assume that it's an accurate sample of what everyone thinks. But those same people conveniently gloss over the fact that this is a non-scientific poll.
What you see here is an attempt by Microsoft to convince the their skeptics that lots of people like Microsoft. Microsoft couldn't care less about the people who already chose them. They want to convince the people who voted for Java that they're in the minority, and they ought to reconsider switching to.NET... "everyone's doing it!". And in the software developer world, the more in the minority you are, the more difficult it is to sell your wares.
It's worse than normal marketing. It's seriously slimey. It's not just a lie. It's an attempt to make someone else (ZDNet) lie for you! It's despicable... and no less so when/. does it.
This is a horribly late reply. My apologies. I hope that you'll see this and continue to respond.
I disagree. You're not paying enough attention to quality
The proprietary world is not doing any better at paying attention to quality. Why did it take until late 1995 before most computer users could effectively use more than 640k of memory? Why did it take until late 2000 until pre-emptive multitasking entered the home market? I have a copy of WinME sitting on a 4 month old computer at my house that crashes multiple times a day! Pre-emptive multitasking originated in the 60's! Exactly where were you thinking of quality in the proprietary software world?
Put bluntly, the vast majority of the Linux distributions were developed by people working in their spare time for something that THEY personally wanted. This is really a key understanding.
This is exactly correct. Those developers develop what they want. This is *good* news. Now the control of features is distributed amongst whoever wants it. Not centralized with the few who are merely guessing at what someone else wants.
This can also mean that certain software is left in that half-finished or half-usable state; it's finished enough that the developer(s) can use it for what they want, but not necessarily enough that outside users really can. This can (and does) mean that things like usability, speed, stability, UI, cooperation with other developers, and other elements suffer.
This is a problem that plagues closed software also. Take the release of the netscape source code. It was so horribly un{readable,usable} that the mozilla project scrapped it altogether and started from scratch.
If the hypothetical open source/free software that you speak of is not in a state that outside users can use it, no outside user will use it. It's only the software that *is* readable/usable that will spread widely. So what if I write horribly ugly software, that no one else can understand. Someone else down the line does a much cleaner job. Both of ours is available. Choose which ever one you want to start with to get done what you need done.
The thing that the netscape source demonstrates is that the best code does not succeed in a closed source world. What succeeds in a closed source world is glimmer and flash and glitz. All superficial crap. And it's allowed to endlessly perpetuate and form into monopolies, which focus entirely on the new glitz and flash in order to continue to collect your money. Only with herculean effort do they go back and write something that's stable.
Which goes back to my above point about Microsoft. Why so late in the game for an OS that doesn't crash every 3rd time you blink? Why in the mid 90's were we all ecstatic about recovering 32k more of free memory? 32k when we were buying memory in multiple megabytes at a time!
If you're asking me to choose between underlying quality and glitz, I'll take the underlying quality. The glitz can easily be done later.
This is, in my opinion, not terribly unlike, say, collecting counting the number of words of every term papers of every college student across the country this year and saying it costs the same amount to write as, say, the Encyclopedia Britannica because they have roughly the same number of lines.
That might be an accurate analogy if there existed such a collection, and there were criteria by which you could exclude the huge wealth of papers that aren't accurate or aren't written well enough to be understood. In which case it would be fair to ask how much the collective effort cost to create a competitor to the Encyclopedia Britannica. But to simply collect up every college kid's paper and say this is what GNU/Linux distributions do is really stretching it. There are huge amounts of free software that does not get included in a GNU/Linux distribution, for lots of reasons, but chiefly:
It doesn't work
It isn't compatible
No one seems to use it
I have released lots of my own free software that fits into one of the above categories.
The software that works, is compatible, and has some level of wide spread usage will get included.
You seem to be upset that another criteria for the inclusion of software in a distribution is that it must also look like or have some level of consistancy across interface with the other software.
The good news for you is that if that's an important criteria for you, then you can choose based on that criteria. Don't use open source/free software that you don't like. Or, even better, take the Red Had distribution and modify it to exclude the software that doesn't match your particular criteria. You might have called it Mandrake but that name's already taken. My point is that free software offers you choices, an explicit requirement for freedom.
... and how was it again, that I choose to remove Internet Explorer from Windows?
Winner: Mr Linus Torvalds, Programmer, Transmeta Corp., USA.
Linus Torvalds was selected for his work on Linux and the Open Source Software Paradigm.
Linus Torvalds wrote the kernel of Linux and established the Open Source software model
Not to add fuel to the flames, but this is the kind of thing that really gets under RMS's skin. Technically it's correct. Since RMS does free software, and OSS only got coined as a type of software post-Linux, Linus could very well be given credit for OSS.
But! It's really misleading. It makes it sound like the idea of giving away your code was invented by Linus and it wasn't. It wasn't invented by RMS either, but RMS would claim that he's the guy who's done the most for it. Heck, RMS doesn't even get a token "GNU/Linux" in these awards.
If it's only worth 10k to me (and to all the other individuals/organizations), then the application will simply never get built in RMS' world.
Very interesting, and I'm not sure that I can refute it yet, or even that I want to. I don't hold the same views as RMS w.r.t. proprietary software. Still, I don't think it's fair to say that expensive software won't get built in RMS's world. Linux (or in RMS-speak GNU/Linux) got built despite the fact that it required
>$1 billion in development costs. And cost Linus nearly nothing to get the whole thing started.
Now, if you personally want a custom OS, paying someone to tweak linux with your customizations is a *lot* more affordable than starting from scratch. You can even keep those changes to your self, and not give them to anyone else. The *only* thing you can't do is release the software in a proprietary format. And, surprise surprise, this is exactly what's being done, over and over again. Some suspect that this is a trend.
Also, we already have an example of a business model where legislated openness has created some monster organizations. The pharmaceutical industry, under the governance of the FDA, is required to publish their drugs before a very long and drawn out peer review. That doesn't keep them from pooling the resources necessary to develop hundreds of failed drugs for every 1 successful drug.
Of course, the pharmaceutical industry relies heavily on patents. I'm pretty sure that RMS doesn't like those either. If a purely RMS world includes prohibiting patents, the pharmaceutical industry would be in trouble in such a world. But if we limit the scope strictly to legislated openness, the pharmaceutical industry demonstrates that huge resources can be pooled even with legislated openness.
Ahhh... I see what you're saying now. If free/open source software is legislated, in other words, if proprietary software is made illegal, then there must be some mechanism for ensuring that end users get some say in how their software works. And you're saying that if you can't vote for your features by paying for software, then the end user basically has no recourse to get the features that they want or need.
But if RMS's ideas of free software are legislated, that doesn't preclude hiring someone to code up the types of changes that you want made. It doesn't preclude you from using those features exclusively. It only precludes you from releasing those changes as proprietary software.
My point is that even in the hypothetical world of illegal proprietary software, you can't demand that developers produce features that you want without paying the developer. You can still ask, and they might do it. You can offer to pay them and they might do it. But you can't demand it of them for free.
In the open/free software world, the end user gets little to no independent influence (as a distinction from what the developer(s) themselves want) over the product. If the only game in town is open/free software, then "put up or shutup" (your choice) is all that is offered. This is what I take issue with but I'm not saying that you are necessarily guilty of it.
But this is the way that it should be - even in the hypothetical world where free/open source software is all there is. The only other alternative is slavery. If you think I'm being harsh, how else should I describe giving away the source code to my program only to be held hostage by those who didn't pay for it and now demand that I modify it to suit their needs? It's a demand for work without pay. I think slavery is the only accurate term. On the other hand, if you're willing to pay me to develop the features you want, then that's another thing altogether.
But just because that's true, I've never said anything about how someone should behave towards proprietary software. I'm certainly not saying that I think that there should be no proprietary software. I'm only talking about people's behavior towards free/open source software. You the user have no right to demand that I implement your features. You may ask, politely, and I may agree. But you can't demand. Because we're talking about my free time, and to expect me to work for you for free is equivalent to expecting me to jump into slavery.
What? I don't think I'm saying that people don't have choices. They do. I'm saying that the choices for opensource/free software are as follows:
Use the software
Use & improve the software
Don't use the software
Users get to complain to noone. I'm not kidding. If they want to complain then they can pay for that right. In fact, the only thing that justifies complaint is that you paid for something that is supposed to do some sort of work for you and it isn't doing it. But if you got the software for free, and it doesn't work, well that's life. You are no worse off than if you'd not gotten the software in the first place. In other words, you've lost nothing, so you've got nothing to complain about.
Now, of course, this doesn't mean that you can't submit bug reports when something is broken. You just don't get to demand that it get fixed. If you want guarantees that it's going to get fixed, you'll have to fix it yourself... and ideally, submit the patch back to the original maintainer - although this is not required. Or if we can come to an agreement on payment, I'll consider fixing it for you. Or maybe I'll fix it, but it's because I'm being generous, and fixing it for free. But in no case do you get to demand that I do this work for free. I may very well do it, but not because you demand it.
I'm very confused by your post. I don't see how it is that I'm limiting choice. I write a piece of software that works 100% perfectly for me. Then I give the source code to anyone who wants it. Are you saying that I'm now obligated to implement every feature request that anyone ever has for my software? I'll be happy to do that thing when you pay me. But until then, as long as my problem is solved, it's generosity on my part if I give you the source. You have no right to demand features from me.
If that's what you mean when you say I advocate the removal of choice, then I whole heartedly agree. I do advocate the remove of your choice, if you're trying to choose to make me a slave because I've given software that doesn't have a feature that you want. If you want the feature so badly, do it yourself, you've got the source.
I certainly didn't mean to suggest that the guy is not free to complain. He is. Rather, I meant to suggest that doing so makes him an ingrate.
If I come to your house for Christmas and give you the keys to the car I drove up in, the polite response if it doesn't meet your needs is, "Thank you, but I'm afraid that I won't be able to use this." But to say, "What the !@#$ were you thinking? This car doesn't have cup holders where I need them! And how do you expect me to ride in any vehicle with less then 250HP? And it's a stick shift! I don't know how to drive stick! What kind of idiot are you?" If you did that, you'd ignore the fact that what I'm giving you is a gift. It's as if you're saying that you are entitled to a car that meets your needs, and it's my responsibility to provide it.
It isn't. Neither is it a developer's responsibility to provide you with the type of computer OS that you need for free. You're certainly free to provide feedback, but common decency suggests that you be polite about it.
some people out there want Linux to go on to bigger things and have more widespread acceptance.
If that's the case, then by all means do it. But DO it. Complaining to the developer who gave you the code, who is happy with the way it already works, is not going to do anything. What possible motivation does a developer have to solve your problem for you? It's not like you're paying him/her!
Opensource/free software is a do it yourself world.
Fortunately that means that once someone figures out how to do it, everyone can take advantage of it. But if it hasn't been done yet, and you want it, it's up to you. If you're not going to pay someone, you're in no position to demand anything. You may not like that. You may think it's elitist, but that's the way it is. If you want something done, you have to do it, or pay for it.
I don't mean to sound elitist about this. I just don't understand how you expect the world to work.
Geez, cmon people! How do can you possibly make demands of Linux? It was neither written by you nor paid for by you. It was written by people who were trying to solve their own problems. Not yours. And in an act of good will, those people gave you their code. And to this you react with complaints and demands?
You can react to this one of three ways:
Use it.
Use it, make changes and contribute back.
Don't use it.
To complain about how it works, when what you're getting is a gift is just plain wrong. It wasn't written to solve your problems. It was written to solve someone else's problem. If it also solves your problem, great use it. If it doesn't, either fix it or use something else! But don't complain. It's ingrateful, and childish.
</flame>
true, but the average user will not go from linux to windows. If linux is ever going beat microsoft, developers should be taking these suggestions into consideration. (or at least looking at them, rather than passing them off as "evil microsoft ideas").
I have no doubt that there are some developers out there who do things just to spite microsoft. But I suspect that most of the things that are done in the UI environment are done because the person who wrote it thought that's the way it works best - for them. And I'm sure if that developer came from a windows environ, that they'd repeat, as much as possible what they were used to.
But then someone else might decide that there's a better way to do it, and that's the way they implement it. Take cut & paste for example. There are a LOT of dumb issues surrounding cut & paste in X, but it's a ton more efficient to simply select and click button 3 than it is to select, right click, choose cut, click, right click choose paste. 2 steps instead of 6. I can't tell you how frustrated I get with the inefficiency of windows cut & paste.
So while I agree that there are a lot of dumb, poorly thought out designs in Linux UI's, those don't strike me as the major problem with most people's belief that linux isn't "easy to use". By *far* most of that is because people expect it to work a certain way and are frustrated when it doesn't or are frustrated that they may have to learn a new way to do something. That in and of itself, to me, is not enough reason to change the way something works. Why would anyone who knows how X cut & paste works, intentionally go to something less efficient?
If you (as a devloper) start down the slope of building Linux (or other open source/free software) for someone other than yourself, you'll never know if you've succeeded. Then, the biggest strength of free and open source software will be lost. This type of development model works by one person solving a problem that they have, and then telling everyone else how they did it. It'll break quickly if you start trying to solve problems that you don't have (i.e. someone else's problems).
I don't want to give you the impression that I'm saying that Linux is the way it is and it don't need no stinking improvement. It certainly can use improvement, but remember who's writing it. It is being written by the people who use it - they're writing it for themselves. The fact that non-developers get to use it also, for free, is a fantastic side effect. To that gift there are only 3 reasonable responses:
Use it and say thank you.
Use it, make improvements and contribute back.
Don't use it.
A completely unreasonable, and horribly ingrateful response is to say, "you wrote this wrong", or "it's not the way *I* like it". That's something we should not say. It sounds too much like a whiney child on Christmas who didn't want the dollhouse her grandfather painstakingly built by hand, but instead wanted the dollhouse that she saw on TV, and will cry until she gets what she wants. It's childish.
Use it, use it and improve it, or don't use it. IMHO, those are the only reasonable choices.
Excellent. But if I were to hold WinXP up to the same ease of use "standards" that Linux is held to, then I would have to say that WinXP is too hard to use. It's different from what I'm used to, and therefore it requires additional training, and therefore it's too hard to use.
My point, of course, being that just because WinXP and Linux and whatever do the samethings with different keystrokes does *NOT* mean that one is harder to use than the other. It just means that it's different.
For example, a Yes/No dialog appeared on the screen so I naturally hit "Y" on the keyboard instead of clicking the button. It didn't work. I also found myself trying to hit ALT-F4 to close the current window...it didn't work either.
Another example: I right-clicked on the desktop expecting to be able to change my screen resolution, but couldn't find the tool to do it. Actually, I hunted for about 1/2 hour before deciding I'd just deal with the current resolution.
You're right that there are a *lot* of small differences between the user interfaces for the operating systems. And there are a *LOT* of consistancy problems within each of the interfaces. But it seems to me that most of what you've brought up are not actually detractions from Linux. But rather detractions from having to learn the quirks of something different than what you're used to.
There are *lots* of similar quirks going from Linux to winders. For example, why can't I set up WinXP so that I hit Ctl-Alt-F8 to switch to my wife's GUI environment, and Ctl-Alt-F7 to switch back to mine? The reality is that the functionality exists in both WinXP and Linux. It should not count as a detraction to WinXP that the method of using the feature is different than my personal preferance. Similarly, it should not count as a detraction to Linux that the way that you change graphics resolution is not what you'd prefer.
Frankly, it should not be surprising that if you go from using an OS intended to serve the lowest common denominator, to an OS intended for flexibility that you'll have to learn some new things. It's akin to the difference between riding an airplane to get where you want to go, and flying your own airplane. The latter is dramatically more flexible, but requires a dramatically larger skill set.
I agree with the gist of this article, but it makes some logical leaps that are superman-ish in their size. One example:
Steve Duignan, consumer marketing manager for Dell in the UK and Ireland... "When a new chip or motherboard platform, like Pentium 4 and Rambus comes along, we have to evaluate if we'll ship enough to cover the cost of testing it and whether peripherals will work properly. In the case of Linux, the answer was no."
So until Linux offers the same ease of setting up, ease of use and driver stability that Microsoft has achieved with Windows XP, it looks unlikely to pose a credible threat to Microsoft's dominance of the desktop.
So the marketing manager for Dell says that they have to spend some money to verify that their new system works with Linux. In response, the author of this article decides that the reason Linux hasn't taken off on the desktop is because Dell isn't installing linux anymore. And Dell isn't doing that because Linux is too hard to install?
I think the author forgot that this testing has to take place for Windows, too. The testing has to take place for anything new that gets added to the Dell's systems. They have to test new CDRW drives, DVDRW drives, anything... and the only justification for that testing is if the demand for that thing will increase sales and pay for the cost of the testing. Ease of end user installation is just plain not relavant.
It's awful expensive and difficult for Ford Motor Company to install engines into their cars. But they do it because the demand for their cars would fall to the floor if they didn't. In other words, pre-installing engines increases the demand for Ford vehicles. If the demand for pre-installed linux was there, Dell would pre-install it no matter how hard it was the first time they tried to figure it out.
Slashdot Mirror
I don't think that selling boxed copies in stores is Red Hat's primary motivation. I think their going after the enterprise. That's why they want to sell subscriptions at $30/mo/machine. You buy, or download, one copy of RH and install it on as many machines as you want. But if you want enterprise level support to keep those machines "up2date" then you can pay the monthly fee.
If you're big enough, you can buy the soon to be released "Red Hat Network in a Box" where you can run you're own completely autonomous Red Hat Network w/in your own corporation. (Info from a Red Hat guy who recently visited our LUG.)
Box sales in stores is likely to always be part of their market. But IMHO, it's not their primary target.
I use debian. I love apt. But I'm considering moving some of the machines I support to red hat. For $5/mo/machine, it is really nice to have a single place where I can check on the status of packages and patches for every machine I manage. I don't know of a way to do this (currently) in debian.
Of course, I imagine it's only a matter of time before someone writes a post-install plugin to apt that will allow for an installation update to be written to a db or web page. So it's not inconceivable that debian gets a similar feature. But for now it doesn't exist, and it makes red hat very attractive for managing a non-small numbers of linux boxen.
I haven't missed that point. You're correct, of course. And by no means did I mean to give you the impression that I think JAVA doing this makes it any better. As you say, it's just as susceptible to the kind of attack I describe. It does have one advantage though, and that is that it runs in a sandbox, which limits the exposure of the risks.
SOAP, otoh, does not. Which means that the exposure of JAVA is determined by what can be accessed in the sandbox. The exposure to SOAP is determined by what can be accessed by SOAP... which is basically everything on the PC and everything behind the firewall.
IMHO, MS should choose either not to run SOAP over HTTP, and let administrators *easily* filter it, or run it in a sandbox. Either works for me. Until then, Schneier is 100% correct. SOAP is a serious security problem.
Of course, it's impossible to prevent someone who has access both inside and outside of the firewall from bypassing it if that person is determined to do so. But that doesn't mean that it's a good idea to deploy something to 90%+ of the world's computers that will enable anyone to do that, whether they intend to or not.
Congratulations.
I certainly agree that downloading active code is a dramatically risky proposition. But having SOAP around makes that downloaded code even *more* risky.
Creating a systematic mechinism to render a firewall, with all of its limitations, to nothing more than a router, and then deploying that to nearly every computer on the planet... you consider this a good thing? A single SOAP call may not be risky, but the implication of deploying this thing on the global state of security can't be benign.
Sorry, but all things considered I still disagree with your conclusions.
But it doesn't use SSL. httptunnel is not using the CONNECT proxy directive (which enables SSL connections through a proxy). It's using HTTP GET and HTTP POST, and that's it. To the proxy it looks like plain old HTTP. There's no SSL in it. SSHv1 yes, but not SSL. If you're unconvinced, thinking that ssh necessarily means that it's SSL, not a problem. It works with rsh, too.
The attack that I describe does require that the sender and receiver be coordinated. However (and please correct me if I'm wrong) isn't SOAP's purpose to enable communication between a server and a .NET app? If so, it would seem to me that the .NET app (running on the inside of the firewall) and the server (running on the outside of the firewall) are certainly coordinated. And most likely, the .NET app that is inside your network got downloaded from the server that you're trying to connect to!
This is, of course, entirely true, but it misses the point. The point of the demonstration is that any time you allow arbitrary bi-directional traffic, the payload of that traffic can be used to encapsulate a point to point IP link. The problem with SOAP is that it creates an architecture for doing just that, and it's going to be released on an OS that enjoys 90%+ market share, and has an application barrier to entry.
The only prudent response to this is to block all SOAP Content-Type's at the firewall unless it's to a trusted source. And of course, this is exactly the point that Schneier is trying to make: SOAP is a security problem.
Then you say:
So, in order to filter SOAP we need to get a firewall with significantly more horsepower in order to examine the Content-Type field... and you sell firewalls.
How convenient.
You also say
That is irrelevant. If you allow arbitrary outgoing requests, and their replies, then it's trivial to encapsulate an incoming request in the replies. Witness httptunnel which can be used to setup outgoing SSH connections, which in turn can be used with PPP over SSH to establish the entire IP protocol... INBOUND... All of this over port 80. Think this can't be done? Well I'm an IT auditor, whose opinions you seem to eschew. I've done it (in the lab, of course.)
All things considered, I disagree with your conclusions.
When Linus switched to the AA VM, I got the impression that one of the key differences between the AA VM and the RvR VM is that Rik's VM is much more flexible, but with that flexibility comes complexity, which is why Linus switched to AA's VM. AA's was much simpler to understand and helped to stabalize the VM problems. Does the above quote mean that the AA VM isn't going to be able to handle the requirements to fix this bug? Is this a plug to put back RvR's VM?
I'm not trying to start a flame war here, just want to understand if I understood what the final paragraph was saying. Please mod me down if I'm way off base, but help me understand too!
Whoops! It looks like you weren't responding to my post, but to someone elses. I didn't see that there was one stuck in there. Sorry for the harsh words. Thought you were talkin' to me.
Move along folks. Nothing to see here. Just some idiot trying to gobble some crow. Go back to your homes.
Perhaps you misunderstood my post. I use free software right now for just about everything. At work this isn't true, but on my own time and my own computers I use free software (in the RMS sense of the word) whenever I can. I do this because right now, the free software is better. There is some sense of using it because it's also morally correct, but that's not the primary driver. I use it because it's better. But I've bought non-free games. Why? Because they're better.
If a non-free OS comes along that is better than what I'm currently using (Debian GNU/Linux) then I'll use it. By better, I mean that it does a better job of meeting my needs. I'm quite happy with free software right nowN (except for games) so I use it.
I don't think my post was a troll. I said that free software, right now is better than non-free software. So the fact that I'm trying to meet my needs as best suits me, and the possibility that non-free software might meet my needs better, that makes my post a troll?
I hope that you don't really believe that. Because then you're saying that free software is not really free. It's an edict. More than that, it's an edict that's above reproach. I'm not allowed to even think that non-free software might meet my needs more than anything in the free software world?
Like I said, I hope you don't believe that.
Declare victory. I think Linus once said, "If Microsoft starts producing good software, we've won."
Personally, I think this is the goal: to get good software. I enjoy the fact that currently the best software around doesn't cost me any money to obtain. But I'm not going to maintain some sort of religious fanatacism about it. If better software comes along that costs money, I'll buy it.
How many of you play only free games on your computers? Me either. I play Q3A or SimCity. I paid for them. Why? Because they're better than the free stuff. I'll pay for an OS too, if it's better than the free stuff.
This guy is right on the money. Making security a priority can only be accomplished through making good design and good code a priority. And those won't be a priority unless there's some sort of pressure for it. Lowering insurance costs is one pressure. Positive PR is another. But more powerful than both of those is the pressure to keep customers from switching to a viable competitor.
And this, I think is exactly the thing we need: a viable competitor to Microsoft. Microsoft, of course, doesn't want this. Interestingly enough, this will also help deal with Rep. Rick Boucher's recent thoughts on the prevention of cyberterrorism. With all due respect to the many good ideas that Rep. Boucher has made, when he suggested enforcing product liability requirements on software producers, he assumed that was the only way to get better software. But it's not. Competition will be much more effective. "When Microsoft starts creating good software, we've won." - Linus Torvalds. Unfortunately, not only is Boucher's suggestion not as effective as competition, it's got a really nasty side effect: it would effectively kill the only potential competitor to Microsoft on the horizon: open source & free software.
Competition will breed better software. If a competitive market place still produces unsafe products (as was the case with the automobile manufacturers of the '60s) then perhaps new laws make sense.
The point is that the solution to both problems ("cyber-terrorism" and software security) is competition. If the government is going to do anything, let's encourage them to do something that opens up competition to the MS juggernaut. There currently is none, so make laws that produce competition. If, and only if, that doesn't work, then think about other ways to enforce accountability - like product liability for software producers. But don't put the cart before the horse.
$.02
Unfortunate for all of us.
Amen, brother! Score:+1,Insightful (virtual moderator point for you!)
Becuase it's a poll. When someone reads that 74% of poll respondants think blah, they assume that it's an accurate sample of what everyone thinks. But those same people conveniently gloss over the fact that this is a non-scientific poll.
What you see here is an attempt by Microsoft to convince the their skeptics that lots of people like Microsoft. Microsoft couldn't care less about the people who already chose them. They want to convince the people who voted for Java that they're in the minority, and they ought to reconsider switching to .NET... "everyone's doing it!". And in the software developer world, the more in the minority you are, the more difficult it is to sell your wares.
It's worse than normal marketing. It's seriously slimey. It's not just a lie. It's an attempt to make someone else (ZDNet) lie for you! It's despicable... and no less so when /. does it.
The proprietary world is not doing any better at paying attention to quality. Why did it take until late 1995 before most computer users could effectively use more than 640k of memory? Why did it take until late 2000 until pre-emptive multitasking entered the home market? I have a copy of WinME sitting on a 4 month old computer at my house that crashes multiple times a day! Pre-emptive multitasking originated in the 60's! Exactly where were you thinking of quality in the proprietary software world?
This is exactly correct. Those developers develop what they want. This is *good* news. Now the control of features is distributed amongst whoever wants it. Not centralized with the few who are merely guessing at what someone else wants.
This is a problem that plagues closed software also. Take the release of the netscape source code. It was so horribly un{readable,usable} that the mozilla project scrapped it altogether and started from scratch.
If the hypothetical open source/free software that you speak of is not in a state that outside users can use it, no outside user will use it. It's only the software that *is* readable/usable that will spread widely. So what if I write horribly ugly software, that no one else can understand. Someone else down the line does a much cleaner job. Both of ours is available. Choose which ever one you want to start with to get done what you need done.
The thing that the netscape source demonstrates is that the best code does not succeed in a closed source world. What succeeds in a closed source world is glimmer and flash and glitz. All superficial crap. And it's allowed to endlessly perpetuate and form into monopolies, which focus entirely on the new glitz and flash in order to continue to collect your money. Only with herculean effort do they go back and write something that's stable.
Which goes back to my above point about Microsoft. Why so late in the game for an OS that doesn't crash every 3rd time you blink? Why in the mid 90's were we all ecstatic about recovering 32k more of free memory? 32k when we were buying memory in multiple megabytes at a time!
If you're asking me to choose between underlying quality and glitz, I'll take the underlying quality. The glitz can easily be done later.
That might be an accurate analogy if there existed such a collection, and there were criteria by which you could exclude the huge wealth of papers that aren't accurate or aren't written well enough to be understood. In which case it would be fair to ask how much the collective effort cost to create a competitor to the Encyclopedia Britannica. But to simply collect up every college kid's paper and say this is what GNU/Linux distributions do is really stretching it. There are huge amounts of free software that does not get included in a GNU/Linux distribution, for lots of reasons, but chiefly:
- It doesn't work
- It isn't compatible
- No one seems to use it
I have released lots of my own free software that fits into one of the above categories.The software that works, is compatible, and has some level of wide spread usage will get included. You seem to be upset that another criteria for the inclusion of software in a distribution is that it must also look like or have some level of consistancy across interface with the other software.
The good news for you is that if that's an important criteria for you, then you can choose based on that criteria. Don't use open source/free software that you don't like. Or, even better, take the Red Had distribution and modify it to exclude the software that doesn't match your particular criteria. You might have called it Mandrake but that name's already taken. My point is that free software offers you choices, an explicit requirement for freedom.
But! It's really misleading. It makes it sound like the idea of giving away your code was invented by Linus and it wasn't. It wasn't invented by RMS either, but RMS would claim that he's the guy who's done the most for it. Heck, RMS doesn't even get a token "GNU/Linux" in these awards.
Very interesting, and I'm not sure that I can refute it yet, or even that I want to. I don't hold the same views as RMS w.r.t. proprietary software. Still, I don't think it's fair to say that expensive software won't get built in RMS's world. Linux (or in RMS-speak GNU/Linux) got built despite the fact that it required >$1 billion in development costs. And cost Linus nearly nothing to get the whole thing started.
Now, if you personally want a custom OS, paying someone to tweak linux with your customizations is a *lot* more affordable than starting from scratch. You can even keep those changes to your self, and not give them to anyone else. The *only* thing you can't do is release the software in a proprietary format. And, surprise surprise, this is exactly what's being done, over and over again. Some suspect that this is a trend.
Also, we already have an example of a business model where legislated openness has created some monster organizations. The pharmaceutical industry, under the governance of the FDA, is required to publish their drugs before a very long and drawn out peer review. That doesn't keep them from pooling the resources necessary to develop hundreds of failed drugs for every 1 successful drug.
Of course, the pharmaceutical industry relies heavily on patents. I'm pretty sure that RMS doesn't like those either. If a purely RMS world includes prohibiting patents, the pharmaceutical industry would be in trouble in such a world. But if we limit the scope strictly to legislated openness, the pharmaceutical industry demonstrates that huge resources can be pooled even with legislated openness.
Ahhh... I see what you're saying now. If free/open source software is legislated, in other words, if proprietary software is made illegal, then there must be some mechanism for ensuring that end users get some say in how their software works. And you're saying that if you can't vote for your features by paying for software, then the end user basically has no recourse to get the features that they want or need.
But if RMS's ideas of free software are legislated, that doesn't preclude hiring someone to code up the types of changes that you want made. It doesn't preclude you from using those features exclusively. It only precludes you from releasing those changes as proprietary software.
My point is that even in the hypothetical world of illegal proprietary software, you can't demand that developers produce features that you want without paying the developer. You can still ask, and they might do it. You can offer to pay them and they might do it. But you can't demand it of them for free.
But this is the way that it should be - even in the hypothetical world where free/open source software is all there is. The only other alternative is slavery. If you think I'm being harsh, how else should I describe giving away the source code to my program only to be held hostage by those who didn't pay for it and now demand that I modify it to suit their needs? It's a demand for work without pay. I think slavery is the only accurate term. On the other hand, if you're willing to pay me to develop the features you want, then that's another thing altogether.
But just because that's true, I've never said anything about how someone should behave towards proprietary software. I'm certainly not saying that I think that there should be no proprietary software. I'm only talking about people's behavior towards free/open source software. You the user have no right to demand that I implement your features. You may ask, politely, and I may agree. But you can't demand. Because we're talking about my free time, and to expect me to work for you for free is equivalent to expecting me to jump into slavery.
Thanks for the discussion.
- Use the software
- Use & improve the software
- Don't use the software
Users get to complain to noone. I'm not kidding. If they want to complain then they can pay for that right. In fact, the only thing that justifies complaint is that you paid for something that is supposed to do some sort of work for you and it isn't doing it. But if you got the software for free, and it doesn't work, well that's life. You are no worse off than if you'd not gotten the software in the first place. In other words, you've lost nothing, so you've got nothing to complain about.Now, of course, this doesn't mean that you can't submit bug reports when something is broken. You just don't get to demand that it get fixed. If you want guarantees that it's going to get fixed, you'll have to fix it yourself... and ideally, submit the patch back to the original maintainer - although this is not required. Or if we can come to an agreement on payment, I'll consider fixing it for you. Or maybe I'll fix it, but it's because I'm being generous, and fixing it for free. But in no case do you get to demand that I do this work for free. I may very well do it, but not because you demand it.
I'm very confused by your post. I don't see how it is that I'm limiting choice. I write a piece of software that works 100% perfectly for me. Then I give the source code to anyone who wants it. Are you saying that I'm now obligated to implement every feature request that anyone ever has for my software? I'll be happy to do that thing when you pay me. But until then, as long as my problem is solved, it's generosity on my part if I give you the source. You have no right to demand features from me.
If that's what you mean when you say I advocate the removal of choice, then I whole heartedly agree. I do advocate the remove of your choice, if you're trying to choose to make me a slave because I've given software that doesn't have a feature that you want. If you want the feature so badly, do it yourself, you've got the source.
If I come to your house for Christmas and give you the keys to the car I drove up in, the polite response if it doesn't meet your needs is, "Thank you, but I'm afraid that I won't be able to use this." But to say, "What the !@#$ were you thinking? This car doesn't have cup holders where I need them! And how do you expect me to ride in any vehicle with less then 250HP? And it's a stick shift! I don't know how to drive stick! What kind of idiot are you?" If you did that, you'd ignore the fact that what I'm giving you is a gift. It's as if you're saying that you are entitled to a car that meets your needs, and it's my responsibility to provide it.
It isn't. Neither is it a developer's responsibility to provide you with the type of computer OS that you need for free. You're certainly free to provide feedback, but common decency suggests that you be polite about it.
If that's the case, then by all means do it. But DO it. Complaining to the developer who gave you the code, who is happy with the way it already works, is not going to do anything. What possible motivation does a developer have to solve your problem for you? It's not like you're paying him/her!
Opensource/free software is a do it yourself world. Fortunately that means that once someone figures out how to do it, everyone can take advantage of it. But if it hasn't been done yet, and you want it, it's up to you. If you're not going to pay someone, you're in no position to demand anything. You may not like that. You may think it's elitist, but that's the way it is. If you want something done, you have to do it, or pay for it.
I don't mean to sound elitist about this. I just don't understand how you expect the world to work.
Ingrate!
Geez, cmon people! How do can you possibly make demands of Linux? It was neither written by you nor paid for by you. It was written by people who were trying to solve their own problems. Not yours. And in an act of good will, those people gave you their code. And to this you react with complaints and demands?
You can react to this one of three ways:
- Use it.
- Use it, make changes and contribute back.
- Don't use it.
To complain about how it works, when what you're getting is a gift is just plain wrong. It wasn't written to solve your problems. It was written to solve someone else's problem. If it also solves your problem, great use it. If it doesn't, either fix it or use something else! But don't complain. It's ingrateful, and childish.</flame>
I have no doubt that there are some developers out there who do things just to spite microsoft. But I suspect that most of the things that are done in the UI environment are done because the person who wrote it thought that's the way it works best - for them. And I'm sure if that developer came from a windows environ, that they'd repeat, as much as possible what they were used to.
But then someone else might decide that there's a better way to do it, and that's the way they implement it. Take cut & paste for example. There are a LOT of dumb issues surrounding cut & paste in X, but it's a ton more efficient to simply select and click button 3 than it is to select, right click, choose cut, click, right click choose paste. 2 steps instead of 6. I can't tell you how frustrated I get with the inefficiency of windows cut & paste.
So while I agree that there are a lot of dumb, poorly thought out designs in Linux UI's, those don't strike me as the major problem with most people's belief that linux isn't "easy to use". By *far* most of that is because people expect it to work a certain way and are frustrated when it doesn't or are frustrated that they may have to learn a new way to do something. That in and of itself, to me, is not enough reason to change the way something works. Why would anyone who knows how X cut & paste works, intentionally go to something less efficient?
If you (as a devloper) start down the slope of building Linux (or other open source/free software) for someone other than yourself, you'll never know if you've succeeded. Then, the biggest strength of free and open source software will be lost. This type of development model works by one person solving a problem that they have, and then telling everyone else how they did it. It'll break quickly if you start trying to solve problems that you don't have (i.e. someone else's problems).
I don't want to give you the impression that I'm saying that Linux is the way it is and it don't need no stinking improvement. It certainly can use improvement, but remember who's writing it. It is being written by the people who use it - they're writing it for themselves. The fact that non-developers get to use it also, for free, is a fantastic side effect. To that gift there are only 3 reasonable responses:
- Use it and say thank you.
- Use it, make improvements and contribute back.
- Don't use it.
A completely unreasonable, and horribly ingrateful response is to say, "you wrote this wrong", or "it's not the way *I* like it". That's something we should not say. It sounds too much like a whiney child on Christmas who didn't want the dollhouse her grandfather painstakingly built by hand, but instead wanted the dollhouse that she saw on TV, and will cry until she gets what she wants. It's childish.Use it, use it and improve it, or don't use it. IMHO, those are the only reasonable choices.
Excellent. But if I were to hold WinXP up to the same ease of use "standards" that Linux is held to, then I would have to say that WinXP is too hard to use. It's different from what I'm used to, and therefore it requires additional training, and therefore it's too hard to use.
My point, of course, being that just because WinXP and Linux and whatever do the samethings with different keystrokes does *NOT* mean that one is harder to use than the other. It just means that it's different.
You're right that there are a *lot* of small differences between the user interfaces for the operating systems. And there are a *LOT* of consistancy problems within each of the interfaces. But it seems to me that most of what you've brought up are not actually detractions from Linux. But rather detractions from having to learn the quirks of something different than what you're used to.
There are *lots* of similar quirks going from Linux to winders. For example, why can't I set up WinXP so that I hit Ctl-Alt-F8 to switch to my wife's GUI environment, and Ctl-Alt-F7 to switch back to mine? The reality is that the functionality exists in both WinXP and Linux. It should not count as a detraction to WinXP that the method of using the feature is different than my personal preferance. Similarly, it should not count as a detraction to Linux that the way that you change graphics resolution is not what you'd prefer.
Frankly, it should not be surprising that if you go from using an OS intended to serve the lowest common denominator, to an OS intended for flexibility that you'll have to learn some new things. It's akin to the difference between riding an airplane to get where you want to go, and flying your own airplane. The latter is dramatically more flexible, but requires a dramatically larger skill set.
So the marketing manager for Dell says that they have to spend some money to verify that their new system works with Linux. In response, the author of this article decides that the reason Linux hasn't taken off on the desktop is because Dell isn't installing linux anymore. And Dell isn't doing that because Linux is too hard to install?
I think the author forgot that this testing has to take place for Windows, too. The testing has to take place for anything new that gets added to the Dell's systems. They have to test new CDRW drives, DVDRW drives, anything... and the only justification for that testing is if the demand for that thing will increase sales and pay for the cost of the testing. Ease of end user installation is just plain not relavant.
It's awful expensive and difficult for Ford Motor Company to install engines into their cars. But they do it because the demand for their cars would fall to the floor if they didn't. In other words, pre-installing engines increases the demand for Ford vehicles. If the demand for pre-installed linux was there, Dell would pre-install it no matter how hard it was the first time they tried to figure it out.