``But now the people who figure out just where to stow everyone on the space shuttle have to find space for spare double-A batteries, because the iPods tend to be battery burners!''
Compared to CD players? (mentioned earlier in the article) That surprises me.
Yes, but your approach assumes that people are actually trying to make things secure. The problem is that they aren't.
And frankly, I can't really blame them. When you are just getting started, or when you are under time pressure (often, one of these applies), you are happy enough once you get it to set up so that the happy flow works. Then you move on to other stuff.
And let's face it: security is difficult. There are many factors you don't control, and you must guard against all possible attack vectors while still keeping the system usable. Before you can do a good job at that, there is a _lot_ you need to know. I can imagine that if you are a budding coder, or a sysadmin with no real experience in programming, you'll be hard pressed to even understand a large part of the security literature. Yet I bet it's those people who set up the most websites.
``I guess IIS users on average are better at maintaining a server, as they probably are employed to do so.''
Don't fool yourself into thinking that, since they are getting paid for it, they are better at it than people who aren't getting paid. Most people I've seen "maintaining IIS" maintained IIS because it had a GUI. That is, they could fire up the config tool and check boxes until stuff seemed to work.
By contrast, most people I know who maintain Apache learn quite some about how HTTP works and how Apache works, first. I don't know if that is because they want to, or because Apache forces them to before it works at all, but the fact is that they strike me as more knowledgeable than the IIS maintainers I've seen.
None of the above says anything about security, though. Apache's configuration can get horribly complicated, opening the door to ridiculous security holes. Also, many people who run Linux then sit smiling snugly and sneer at people running Windows about how much more secure they are, just because they run Linux. That's not a way to get good security, of course. Finally, as others have pointed out, to deface a website, you don't need to exploit a vulnerability in the web server. Most defacements probably happen through shoddy code in the web site itself.
``Hopefully, when the supply of IPv4 addresses runs out (in a little over two years), there will be a Chinese fire drill for everyone to migrate to IPv6 quickly. If this does not happen, things will get ugly.''
Already happened. Nowadays, we have NAT pretty much everywhere, which broke more applications than I care to remember. Most annoyingly, it broke many voice and video conferencing apps, and now we're stuck with Skype (stuck with, because its protocol is proprietary).
Open source is growing. Twenty years ago, virtually nobody had heard about it. Ten years ago, all the cool kids were talking about it, but few people were using it, and companies usually used it in secret. Now, open source is virtually everywhere. All the major players in the computer world are using it and advertising that they are. It's in many home routers. Most organizations I have been to in the past years have at least a Linux box somewhere. The one company I've visited that didn't was a Microsoft shop that developed using the latest Microsoft tools and a bunch of open source libraries. Few people know what open source is, but more and more people have interacted with it in some way.
Linux, Apache, Firefox? The number of people using those is enormous. Perl, PHP, and MySQL are huge, too. And now Java is going open source, which means that a huge part of commercial software development will be done using open source (to the extent that this wasn't true already; think JBoss, Ant, et al.)
Last, but not least, open source is on the desktop. And I don't just mean the odd geek who runs Linux on his desktop. I've already mentioned Firefox, but let's not forget that everybody who uses a Mac uses open source.
You have software and protocols mixed up. It is open standards for file formats, protocols, etc. that allows interoperability. Open source is mainly a way to put the users of the software in control of the software: you don't have to rely on the vendor for bugfixes and other improvements, as you would with closed source software. Of course, it is also true that open source developers (including users) tend to favor open standards, but they are still different things.
``Welcome to competition. Open Source tends to cover the areas where software is well established and should be commoditized. As much as we'd all like to keep charging $250 a copy for a library to unzip files, technology marches on. Commercial providers of technology must work harder to win the dollars of their customer.''
I agree with the first part, but the last sentence isn't necessarily true. I've worked in commercial software development for some time now, and there has been an ongoing shift towards open source libraries and development tools. Open source makes it harder to compete when you are in the business of making that kind of software, but it also provides an incredible boon to software development in general: where you used to have to code up your own frameworks or pay someone else to do it, you can now grab an open source framework from the web. In some cases, you can even develop your whole application by gluing together some open source frameworks.
This, I think, is a really great and really underappreciated success of open source. Using what open source provides us with, we can now make yesteryear's software with less effort. And with the effort that is left, we can build more advanced things.
``Will there finally be a way to give my user account admin privileges? I mean, like in Windows XP, so I don't have to type in the fucking password every time I do anything?''
You have to type your password every time? I use sudo, which asks for my password once, and then allows me to either get a root shell (with the -s option) or doesn't ask my password again for the next 5 minutes or so. But that's from the command line. Still, I would think Gnome would use that functionality, so that you get the same behavior in the GUI. Perhaps that was naive of me, though.
``I can honestly say that Ubuntu seems to be very usable for most people right now. The only issues are with stupid leagal foulup''
Perhaps there should be a "free world" edition of Ubuntu, aimed at parts of the world where the legal restrictions on the "existing, but not provided by default for legal reasons" pieces do not apply.
So that, say, people outside the USA can play MP3s out of the box.
``I tried pointing Smart at the Development repos for the Gnome RC but there isn't a way to say "upgrade all Gnome" - no meta package or anything that I saw - so I didn't feel like doing it package by package.''
Maybe you should file a feature request for that. On Debian, I have "gnome" and "gnome-desktop-environment". I suppose installing either one of those would give me a complete Gnome installation.
I don't hate Gnome anymore. The beauty of unices is that you can choose the GUI that best suits you. It seems that more developers realize that, too, and don't require you to install large parts of Gnome just to run a simple GUI. I don't know if Gnome is still as much of a resource hog as it used to be, but I don't care anymore: my applications work without it, so I don't have to use it. It's there for those who want it, and those who don't want it can do without it. It doesn't get any better than that.
I also think Gnome developers are doing a lot of cool things.
``The advice would seem to throw more doubt on OOXML's suitability as an international document standard.''
That suggests there is such suitability, or at least doubt. I haven't looked closely, but from what I've heard, it seems that:
1. OOXML is horrible 2. OOXML allows Microsoft to simply embed their existing binary formats in a so-called XML file 3. This does nothing to improve interoperability and implementability 4. We already have ODF as an approved and implemented (by multiple vendors) standard 5. OOXML seems to be a "me too" from Microsoft, afraid to be passed up when organizations start to mandate interoperable standards 6. The name "OOXML" causes a lot of confusion with OpenOffice.org. I can't help but think this is deliberate. 7. Microsoft tries very hard to convince the world that, this time, they are not screwing us all, and that they will not assert any intellectual property claims against other implementations of OOXML 8. Actually reading Microsofts promises in this regard reveals that they only apply to _parts_ of the standard, particularly omitting some parts that they are likely to use (see point 2). 9. The only reason OOXML is even close to being accepted by ISO is that Microsoft stuffed the committee.
All in all, I can't avoid the impression that the only reason OOXML is still taken seriously is that some people are seriously wrong-headed. It obviously isn't a good idea, and we should stop wasting our time on it. But if enough people keep making noise about it, it seems just like there is still doubt about that.
``I realize almost everyone here knew this back when this whole thing began, but I fear that the music and movie industries will largely ignore this, or, worse, try to improve upon it somehow.''
I don't mind if they improve it. If they can come up with a scheme that allows legitimate use (using the software and hardware of _my_ choice, thank you very much) while making unauthorized use harder, I will be happy. The problem I have with current DRM schemes is that they restrict legitimate use (which then isn't even legitimate anymore, due to _incredibly_ stupid laws).
``The current models are failing, but they don't want to admit it.''
Sometimes, I think we only _think_ they are failing, because we fail to see what they are really after.
At other times, I think it works like this. The DRM schemes aren't developed by the entities whose intellectual property they are used to "protect". Rather, they are developed by companies that then proceed to market their technology to the rights owners. Sort of along the lines of "You are losing millions because of piracy. Our proprietary technology (hence, you can only buy it from us) will help protect your intellectual property and curb lost sales." In other words, it's the old "sow fear, harvest meek sheeple" tactic. Any technically inclined person will see that the DRM scheme won't help against piracy and will only harm legitimate use, but it's not being marketed to technically inclined people, it's being marketed to managers. And it sounds like a good idea: for a small fee, you can protect against millions in lost sales. Clever marketing. The same thing that makes so many other lousy products successful.
Apparently, the people in at least one company got the bright idea to actually measure and compare the DRMful situation with the DRMless situation. And they apparently came to the conclusion that DRM costs them more then it gains them. Hurray! They've done their homework, and their new policy is good for them and good for their customers. Win-win. It's how business is supposed to be.
``They'll probably continue investing more into an arms race they can't win.''
Likely some will, some won't. Corporations are already getting off the DRM bandwagon. Perhaps more of them will do a cost-benefit analysis. Perhaps they will come to the conclusion that DRM is a net loss to them. Perhaps they will discontinue buying into it. Or perhaps they will continue to fall for clever marketing.
``Maybe a mixture of diminishing sales and wasted money will cripple them enough that others can rise up and take their place.''
Now this is the real problem. This is what would happen if there were healthy competition. But in the world of entertainment, money and power are concentrated in a handful of players. Often, this is reinforced by laws. Actual competition is difficult and sometimes even illegal. Fortunately, the Internet and the examples of open source, Wikipedia, file sharing programs, etc. make it easy to experiment and provide ideas for directions for expirimentation. New and better models will develop and, in time, may even prevail.
I have been working on a list of games that will run on non-Windows platforms. If anyone has games they would like to be added, please contact me. If you could include both a link to a website about the game and a short description of the game, that would be grand.
``No. I have read it here and here, but I'm not certain whether Vista actually does this or if it's just a massive fud campaign. From what I've read, it seems to be true. But as I said, I'm not 100% sure.''
And since it's closed-source software, you're not allowed to go find out for yourself.
Instead of deleting allegedly "trivial" articles, why not mark them? Wikipedia already has a system in place where articles are marked as "stub", "controversial", etc. There can be other markings that indicate that articles are problematic in the ways that "trivial" articles would be; for example, I could imagine an article being marked as "rarely visited", with an explanation that this means the article has had less peer review than is desirable and thus might be inaccurate.
``Wikipedia and/. do a reasonably good job when a subject has high traffic. Those with little traffic, however, probably have no experts watching, and the ignorant non-experts assert horrible misinformation.''
Yes, indeed, you are completely right.
``Your mistake is that you're conflating simple review, with a user system. You can eliminate the inaccuracies in magazines, encyclopedias, and the like, if you just have multiple experts reviewing every statement (as opposed to one low-rent semi-expert with no error checking)... It's called peer-review in scientific circles.''
Yes, absolutely. That is actually what I should have said in the part of my post about comments and moderation. It is not the fact that the content is generated by "users" instead of "experts" that makes (some) user-driven sites provide better information, it is the fact that they do peer review right.
And, of course, as you pointed out, there is a definite problem with user-run and reviewed sites in that they propagate ideas that are _popular_, rather than ideas that are _correct_. On the other hand, I am not so sure the same problem doesn't occur in expert peer reviewed systems.
Yes, but what are the threats we are protecting against? And are the measures we are taking actually effective in protecting against those threats? What about the threats we are not protecting against? Are these measures increasing other threats? When we factor in everything, do the measures make things better or worse?
And let's not downplay the importance of feelings. Because, in the end, that is all I _really_ care about. Of course I feel better if there are fewer successful attacks. I also feel better if I have more money to spend, because less of it went into supposed security programmes. And if I felt scared, I suppose I would feel better if I got the feeling something was being done to protect me. I don't feel good when I have to throw away my shampoo or the drink I brought with me to have on board.
How do we find a balance between all of the above? I'd say one way is to take a look at how airport security works in Israel. Regardless of whether there is a real terrorist threat in western Europe or the USA, I think the case can be made that there is such a threat in Israel. Yet, you don't hear about Israeli planes being blown up or hijacked and flown into skyscrapers. Sounds like they have good enough security. How does it work? How expensive is it? How intrusive is it? Do they take fingerprints, confiscate fluids, and have people take off their shoes? Do they focus on specific groups of people? Are there things we could learn from them?
Slashdot Mirror
FTFA:
``But now the people who figure out just where to stow everyone on the space shuttle have to find space for spare double-A batteries, because the iPods tend to be battery burners!''
Compared to CD players? (mentioned earlier in the article) That surprises me.
Yes, but your approach assumes that people are actually trying to make things secure. The problem is that they aren't.
And frankly, I can't really blame them. When you are just getting started, or when you are under time pressure (often, one of these applies), you are happy enough once you get it to set up so that the happy flow works. Then you move on to other stuff.
And let's face it: security is difficult. There are many factors you don't control, and you must guard against all possible attack vectors while still keeping the system usable. Before you can do a good job at that, there is a _lot_ you need to know. I can imagine that if you are a budding coder, or a sysadmin with no real experience in programming, you'll be hard pressed to even understand a large part of the security literature. Yet I bet it's those people who set up the most websites.
``I guess IIS users on average are better at maintaining a server, as they probably are employed to do so.''
Don't fool yourself into thinking that, since they are getting paid for it, they are better at it than people who aren't getting paid. Most people I've seen "maintaining IIS" maintained IIS because it had a GUI. That is, they could fire up the config tool and check boxes until stuff seemed to work.
By contrast, most people I know who maintain Apache learn quite some about how HTTP works and how Apache works, first. I don't know if that is because they want to, or because Apache forces them to before it works at all, but the fact is that they strike me as more knowledgeable than the IIS maintainers I've seen.
None of the above says anything about security, though. Apache's configuration can get horribly complicated, opening the door to ridiculous security holes. Also, many people who run Linux then sit smiling snugly and sneer at people running Windows about how much more secure they are, just because they run Linux. That's not a way to get good security, of course. Finally, as others have pointed out, to deface a website, you don't need to exploit a vulnerability in the web server. Most defacements probably happen through shoddy code in the web site itself.
``Hopefully, when the supply of IPv4 addresses runs out (in a little over two years), there will be a Chinese fire drill for everyone to migrate to IPv6 quickly. If this does not happen, things will get ugly.''
Already happened. Nowadays, we have NAT pretty much everywhere, which broke more applications than I care to remember. Most annoyingly, it broke many voice and video conferencing apps, and now we're stuck with Skype (stuck with, because its protocol is proprietary).
Didn't Microsoft make v6 the default in Vista?
I have only one question.
Can it also give me news stories with no bias?
Ah well. It was worth a shot.
``For example my parents can't stand CNN because of a percieved liberal bias, so they only watch FOX news.''
That would be funny if it wasn't so sad.
Open source is growing. Twenty years ago, virtually nobody had heard about it. Ten years ago, all the cool kids were talking about it, but few people were using it, and companies usually used it in secret. Now, open source is virtually everywhere. All the major players in the computer world are using it and advertising that they are. It's in many home routers. Most organizations I have been to in the past years have at least a Linux box somewhere. The one company I've visited that didn't was a Microsoft shop that developed using the latest Microsoft tools and a bunch of open source libraries. Few people know what open source is, but more and more people have interacted with it in some way.
Linux, Apache, Firefox? The number of people using those is enormous. Perl, PHP, and MySQL are huge, too. And now Java is going open source, which means that a huge part of commercial software development will be done using open source (to the extent that this wasn't true already; think JBoss, Ant, et al.)
Last, but not least, open source is on the desktop. And I don't just mean the odd geek who runs Linux on his desktop. I've already mentioned Firefox, but let's not forget that everybody who uses a Mac uses open source.
Really, open source is all around us.
You have software and protocols mixed up. It is open standards for file formats, protocols, etc. that allows interoperability. Open source is mainly a way to put the users of the software in control of the software: you don't have to rely on the vendor for bugfixes and other improvements, as you would with closed source software. Of course, it is also true that open source developers (including users) tend to favor open standards, but they are still different things.
``Welcome to competition. Open Source tends to cover the areas where software is well established and should be commoditized. As much as we'd all like to keep charging $250 a copy for a library to unzip files, technology marches on. Commercial providers of technology must work harder to win the dollars of their customer.''
I agree with the first part, but the last sentence isn't necessarily true. I've worked in commercial software development for some time now, and there has been an ongoing shift towards open source libraries and development tools. Open source makes it harder to compete when you are in the business of making that kind of software, but it also provides an incredible boon to software development in general: where you used to have to code up your own frameworks or pay someone else to do it, you can now grab an open source framework from the web. In some cases, you can even develop your whole application by gluing together some open source frameworks.
This, I think, is a really great and really underappreciated success of open source. Using what open source provides us with, we can now make yesteryear's software with less effort. And with the effort that is left, we can build more advanced things.
Actually, that's a really good idea. Is there such a system in place already?
That's so nerdy. A congressman can code assembly, and all you ask is "what kind?". I like. :-D
``Will there finally be a way to give my user account admin privileges? I mean, like in Windows XP, so I don't have to type in the fucking password every time I do anything?''
You have to type your password every time? I use sudo, which asks for my password once, and then allows me to either get a root shell (with the -s option) or doesn't ask my password again for the next 5 minutes or so. But that's from the command line. Still, I would think Gnome would use that functionality, so that you get the same behavior in the GUI. Perhaps that was naive of me, though.
``BTW, does Gnome now allows switching the spelling language of an application during the use of it?''
WTF?! You mean that this has not been working? I'm amazed...
``I can honestly say that Ubuntu seems to be very usable for most people right now. The only issues are with stupid leagal foulup''
Perhaps there should be a "free world" edition of Ubuntu, aimed at parts of the world where the legal restrictions on the "existing, but not provided by default for legal reasons" pieces do not apply.
So that, say, people outside the USA can play MP3s out of the box.
``I tried pointing Smart at the Development repos for the Gnome RC but there isn't a way to say "upgrade all Gnome" - no meta package or anything that I saw - so I didn't feel like doing it package by package.''
Maybe you should file a feature request for that. On Debian, I have "gnome" and "gnome-desktop-environment". I suppose installing either one of those would give me a complete Gnome installation.
I don't hate Gnome anymore. The beauty of unices is that you can choose the GUI that best suits you. It seems that more developers realize that, too, and don't require you to install large parts of Gnome just to run a simple GUI. I don't know if Gnome is still as much of a resource hog as it used to be, but I don't care anymore: my applications work without it, so I don't have to use it. It's there for those who want it, and those who don't want it can do without it. It doesn't get any better than that.
I also think Gnome developers are doing a lot of cool things.
``The advice would seem to throw more doubt on OOXML's suitability as an international document standard.''
That suggests there is such suitability, or at least doubt. I haven't looked closely, but from what I've heard, it seems that:
1. OOXML is horrible
2. OOXML allows Microsoft to simply embed their existing binary formats in a so-called XML file
3. This does nothing to improve interoperability and implementability
4. We already have ODF as an approved and implemented (by multiple vendors) standard
5. OOXML seems to be a "me too" from Microsoft, afraid to be passed up when organizations start to mandate interoperable standards
6. The name "OOXML" causes a lot of confusion with OpenOffice.org. I can't help but think this is deliberate.
7. Microsoft tries very hard to convince the world that, this time, they are not screwing us all, and that they will not assert any intellectual property claims against other implementations of OOXML
8. Actually reading Microsofts promises in this regard reveals that they only apply to _parts_ of the standard, particularly omitting some parts that they are likely to use (see point 2).
9. The only reason OOXML is even close to being accepted by ISO is that Microsoft stuffed the committee.
All in all, I can't avoid the impression that the only reason OOXML is still taken seriously is that some people are seriously wrong-headed. It obviously isn't a good idea, and we should stop wasting our time on it. But if enough people keep making noise about it, it seems just like there is still doubt about that.
``I realize almost everyone here knew this back when this whole thing began,
but I fear that the music and movie industries will largely ignore this,
or, worse, try to improve upon it somehow.''
I don't mind if they improve it. If they can come up with a scheme that
allows legitimate use (using the software and hardware of _my_ choice,
thank you very much) while making unauthorized use harder, I will be
happy. The problem I have with current DRM schemes is that they
restrict legitimate use (which then isn't even legitimate anymore,
due to _incredibly_ stupid laws).
``The current models are failing, but they don't want to admit it.''
Sometimes, I think we only _think_ they are failing, because we fail
to see what they are really after.
At other times, I think it works like this. The DRM schemes aren't
developed by the entities whose intellectual property they are used
to "protect". Rather, they are developed by companies that then
proceed to market their technology to the rights owners. Sort of
along the lines of "You are losing millions because of piracy.
Our proprietary technology (hence, you can only buy it from us)
will help protect your intellectual property and curb lost sales."
In other words, it's the old "sow fear, harvest meek sheeple"
tactic. Any technically inclined person will see that the DRM
scheme won't help against piracy and will only harm legitimate use,
but it's not being marketed to technically inclined people, it's
being marketed to managers. And it sounds like a good idea: for
a small fee, you can protect against millions in lost sales.
Clever marketing. The same thing that makes so many other
lousy products successful.
Apparently, the people in at least one company got the bright
idea to actually measure and compare the DRMful situation with the
DRMless situation. And they apparently came to the conclusion
that DRM costs them more then it gains them. Hurray! They've
done their homework, and their new policy is good for them and
good for their customers. Win-win. It's how business is
supposed to be.
``They'll probably continue investing more into an arms race
they can't win.''
Likely some will, some won't. Corporations are already getting off
the DRM bandwagon. Perhaps more of them will do a cost-benefit
analysis. Perhaps they will come to the conclusion that DRM
is a net loss to them. Perhaps they will discontinue buying into
it. Or perhaps they will continue to fall for clever marketing.
``Maybe a mixture of diminishing
sales and wasted money will cripple them enough that others can rise up
and take their place.''
Now this is the real problem. This is what would happen if there
were healthy competition. But in the world of entertainment, money
and power are concentrated in a handful of players. Often, this
is reinforced by laws. Actual competition is difficult and
sometimes even illegal. Fortunately, the Internet and the examples
of open source, Wikipedia, file sharing programs, etc. make it
easy to experiment and provide ideas for directions for
expirimentation. New and better models will develop and, in time,
may even prevail.
I have been working on a list of games that will run on non-Windows platforms. If anyone has games they would like to be added, please contact me. If you could include both a link to a website about the game and a short description of the game, that would be grand.
Wasn't there an issue with nVIDIA drivers not working with Vista at all?
``No. I have read it here and here, but I'm not certain whether Vista actually does this or if it's just a massive fud campaign. From what I've read, it seems to be true. But as I said, I'm not 100% sure.''
And since it's closed-source software, you're not allowed to go find out for yourself.
Instead of deleting allegedly "trivial" articles, why not mark them? Wikipedia already has a system in place where articles are marked as "stub", "controversial", etc. There can be other markings that indicate that articles are problematic in the ways that "trivial" articles would be; for example, I could imagine an article being marked as "rarely visited", with an explanation that this means the article has had less peer review than is desirable and thus might be inaccurate.
``Wikipedia and /. do a reasonably good job when a subject has high traffic. Those with little traffic, however, probably have no experts watching, and the ignorant non-experts assert horrible misinformation.''
Yes, indeed, you are completely right.
``Your mistake is that you're conflating simple review, with a user system. You can eliminate the inaccuracies in magazines, encyclopedias, and the like, if you just have multiple experts reviewing every statement (as opposed to one low-rent semi-expert with no error checking)... It's called peer-review in scientific circles.''
Yes, absolutely. That is actually what I should have said in the part of my post about comments and moderation. It is not the fact that the content is generated by "users" instead of "experts" that makes (some) user-driven sites provide better information, it is the fact that they do peer review right.
And, of course, as you pointed out, there is a definite problem with user-run and reviewed sites in that they propagate ideas that are _popular_, rather than ideas that are _correct_. On the other hand, I am not so sure the same problem doesn't occur in expert peer reviewed systems.
All in all, very good post. Thanks!
``More security is better, right ?''
Yes, but what are the threats we are protecting against? And are the measures we are taking actually effective in protecting against those threats? What about the threats we are not protecting against? Are these measures increasing other threats? When we factor in everything, do the measures make things better or worse?
And let's not downplay the importance of feelings. Because, in the end, that is all I _really_ care about. Of course I feel better if there are fewer successful attacks. I also feel better if I have more money to spend, because less of it went into supposed security programmes. And if I felt scared, I suppose I would feel better if I got the feeling something was being done to protect me. I don't feel good when I have to throw away my shampoo or the drink I brought with me to have on board.
How do we find a balance between all of the above? I'd say one way is to take a look at how airport security works in Israel. Regardless of whether there is a real terrorist threat in western Europe or the USA, I think the case can be made that there is such a threat in Israel. Yet, you don't hear about Israeli planes being blown up or hijacked and flown into skyscrapers. Sounds like they have good enough security. How does it work? How expensive is it? How intrusive is it? Do they take fingerprints, confiscate fluids, and have people take off their shoes? Do they focus on specific groups of people? Are there things we could learn from them?