Yes there are other platforms that have similar features (AIX LPAR and DLPAR, HP-UX VPAR, Solaris Dynamic Domains). The problems are (1) you have to be using recent versions of the OS for the software virtualization (AIX 5L 5.2, HP-UX 11 and 11i) or (2) have the specific hardware necessary to use the hardware virtualization (AIX, HP-UX, and Solaris). And this hardware is costly (minimum cost for a Sun Sun Fire midrange to support dynamic domains is $100,000.00).
The other reason could be that management (particularly in DoD) won't allow the use of hardware or software virtualization despite the benefits. Management could see this as a "toy" rather than a feature. Of all the documentation I have read concerning DoD, implementation, security, etc., I have never read anything about setting up or using virtualization. Not to say that some DoD activities aren't using it, but they are not well "advertised". The last Navy project I worked on we tried to deploy an Open Source monitoring solution and was basically told "we will not the first in doing anything!"
My 13 year old daughter is probably the most vicious player I have ever met! Not only does she frag you, she goes the "extra yard" by blowing up your corpse! And when we are playing death matches in Quake she will mutter things like "My name is Perfect Little Angel, how may I kill you today?"
Maybe this is what the guys are afraid of when they are playing online is that they could get their asses handed to them by "a girl".
While Carly complains about the cost of labor, Dubya is trying to help out illegal aliens with his immigration plan, has anybody thought about who is going to pay for all of these high priced services and products?
And why should we listen to Carly, didn't she get a big bonus for merging with Compaq and layoff a large number of HP's workforce at the same time? I remember reading a comment that someone at HP said, something to the effect of "you can work here for free"! Maybe Carly should "work for free" and set the example for the rest of HP's workforce!
I did PowerPoint and Persuasion presentations for Joint Intelligence for four years, if what I saw on a daily basis there is any indication of the "skill" of the regular user, a lot of people need help!
The average user does not know how to make effective graphics, and even when they are assisted by someone who does, they tend to ignore their advice. some of the bigger mistakes I saw were:
A briefer handed me message traffic and said "make slides of these". I told him he had to summarize the traffic inot four or five small bullets. He looked at me as if I was nuts! This unfortunately became the norm, lots of text regardless of whether or not you could read it.
Every slide had to have a command seal in it, as if the viewer couldn't figure out where the presentation came from?
And of course the non graphics "professional" who would use such things as silly effects and screen dumps to create a presentation. I once had to come in on a Saturday to assist in a download of a 69 MB PowerPoint presentation that consisted entirely of screen dumps! And this was over a poor ISDN line so it took over three hours!
Until people are made to realize that they have no "skillz" in graphics, this kind of nonsense will continue. It makes me glad that I don't have to sit through those briefs anymore!
Yes there are a lot of contractors and Government employees who don't have a clue. The bigger problem is what guidance is given to people who have to secure those systems (particularly Unix). All Information Assurance personnel want to hear is whether the machines are C2 or not (never mind TCSEC was declared dead March 11, 1999). And this only covers auditing, so they are concerned about trust, not security.
The last project I worked on we had to use the Defense Informations Systems Agency STIG as if it was the bible of Unix security. Here is the mentality of DISA, the Solaris section covered 2.5.1, the AIX section covered 4.3 (but not 5L) and for the most part only was concerned about auditing. Check it out for yourself at:
http://csrc.nist.gov/pcig/cig.html
If you have administrators who are limited by inept guidance, what do you expect!
Sun by mistake made Solaris Express available for download in August, and I have been working with it since (including the monthly releases). However, to write something specific about Solaris Express you have to get your article cleared by Sun.
When you go to download it the first item in the click through user agreement is the NDA. The "What's new in Solaris Express" pdf files tell of new features, and they are released at the same time as the new release of Solaris Express. It would have been nice if they actually did a review as opposed to regurgitating the pdf files.
I have been sitting back and watching the various posts over the last couple of days and I see (1) The "free as in beer" people bitching about "no more free Linux" and the (2) "free as in speech" people applauding the efforts of RedHat and SuSe.
For the "free as in beer" crowd, where do you thing SuSe got $500,000.00 to pay for Common Criteria evalaution? I'm sure that IBM wants some of that money back. The same goes for Oracle with RedHat. And actual "consultants" singing the virtues of free software now complaining that the free ride is over. If I hired a consultant who sold me this "bill of goods" they would not be a consultant for long (can you say "litigation"). This is part of the reason why I hear such nonsense from PHB's as "unfunded requirements", nothing is free, not even lunch. And anyone who says that it is is either a liar or a fool (pick one)!
For the "free as in speech" crowd I think RedHat's decision is sound, if you want to expand your offerings you will have to charge at some point. And to improve the quality of the product you will have to pay for quality staff. I only see RedHat getting better for this.
For SuSe, I hope that Novell adds functionality like eDirectory, which could have the potential to compete with Solaris (and it's built in LDAP server) and similar products.
I see all of this as a good thing, but I am sure many will not, oh well!
I'm not a lawyer either, but if the trash can is inside the mall wouldn't the trash be considered mall property and not public property? One, I would definitely talk to a lawyer and two, teach the other half not to toss private information "to the wind"!
I think you are missing the point. In any test (especially one that is going to come in under scrutiny) all information about the target for the test should be published. There is no information about the OS (other than its Linux), what running software, what tweaks have been applied, etc. Based on what little information is provided, I doubt if anyone could duplicate the results. And the information should be available so that it can be tested independently.
Everybody complains about benchmarks, but few actually put up any useful information other than the results. Hardly scientific.
Is it me, or is there a lack of information about the machine the tests were run on such as why is almost all of the memory used up? Second, a system with a single disk and swap is in use? What was this guy trying to test anyhow?
All this tests is basically a typical Linux box with a single drive. I wouldn't base any decision to go from one filesystem to another based on these tests!
Maybe I'm just dumb but it doesn't seem to make much sense to release new hardware without drivers optimized to take full advantage of the hardware. If you (or a hardware site) has to wait for a new driver to get the performance the vendor specifies for the hardware, I would be real leary of buying hardware from them.
From what I saw of the ATI/NVIDA test, the NVIDA card was trounced, so maybe NVIDA should hold off on releasing new cards until their drivers catch up to the hardware.
Where I think the problem in post 911 security is awareness, and this is a people problem. Bruce is right, people that are more aware of their surroundings can easily notice things out of place. Instead what do we get from Wahsington, fear mongering and freedom stifling laws and legislation.
The 911 attacks more than likely could not be easily duplicated since (at least in theory) we are aware of how they did it and (hopefully) in a better position to stop it. The bigger question is what are they planning to do in the future?
And putting the entire population of the U.S. in under almost continuous surveillance is not the answer. It is not unlike other intelligence efforts, who is going to analyze all of that data? It wasn't all tha tlong ago that the director of the NSA stated his staff couldn't process all of the information they were gathering.
Hopefully Bruce's book points out some simple steps that will actually improve security without "breaking the bank", be more effective than most of the current measures, and that some people in Washington actually read it!
Instead of going after the real "pirates" who are making money off their software, Symantec along with Microsoft and just about everybody else punish us for their "lost profits" with Product Activation.
I guess it's time for me to start looking at other options for Anti-Virus software.
When I was performed photographic quality control, I ahd a reference platform and true statistically valid performance data to base any decisions on. Unfortunately hardware sites don't exactly do the same thing. They use different hardware (usually provided by the vendor or a reseller looking for a plug), and everything becomes a variable.
What I was taught about analyzing anything was to eliminate variables. Most benchmarks will work as long as you create your own reference platform, specify everything used in excruiating detail (driver version, etc.) And also place a disclaimer that the test is only good based on your hardware and setup.
When I read a benchmark, I use it as only a guide. I do not take the numbers literally since I cannot reproduce the test. And that is where the problem lies in hardware site benchmarking. Anyone should be able to get the specific hardware mentioned, assemble it, install the OS and run the benchmarks and get similar results. My money is they won't because of "tweaked" drivers, benchmark program versions, or hardware, software, or OS settings that do not make it into the documentation or the column for the site. The only benchmarks I pay any serious attention to is SPECInt and SPECf, because there has to be full disclosure of all options used before SPEC will approve of it.
It is great that Linux has been evaluated using Common Criteria, unfortunately there will not be a whole lot of Government agencies lining up to buy it. The standard for classified material is C2/EAL4 regardless of classification. Since Linux does not have the extended auditing that commerical Unix and Windows NT/2000/XP has, it will never get above EAL3.
What I would like to see is the the Hardened Gentoo box evaluated under CC (www.gentoo.org/proj/en/hardened). I logged into this box and could basically do nothing (as root)! It uses NSA's Security Enhanced Linux and a variation of Role Based Access Control. This machine will pass muster!
I can't wait for the day Linux gets EAL4, but I don't think that is coming too soon.
I don't know where you get your information on Solaris, but the downloaded version of Solaris 9 4/03 runs quite well on my dual processor Ultra 2! And mpstat shows 2 CPU's! To be "legal" with Sun you need to purchase a license based on the function of the machine you intend to run Solaris on (either Intel or Sparc).
Prior to Solaris 9, Solaris 8 Intel could handle up to 8 CPU's out of the box. I am sure that is probably still the case, you just have to pay for the licenses if you use Solaris Volume Manager, multiple processors, etc.
A Government contract I previously worked on allocated IP addresses in a building with 190 developers based on workgroup! The problem was the building manager was assigning an entire subnet range to a group of say, six people. Before they replaced the hubs with switches and cut the number of subnets, this one building had 7,000 usable IP addresses for 250 computers, routers, hubs, printers, etc. I think the Government has a few IP addresses they could spare.
At the last 2600 meeting I attended, we joked about installing a chip to catch keystrokes into a keyboard. What if this was done instead of a piece of software? And who knows if something like this has been done or not.
The "man on the street" does not understand one iota of computer security, so why should a public kiosk computer be any different than his home PC? As long as it does not affect them in any way they do not care!
This is a wakeup call for "joe sixpack", do not trust any public PC (I don't).
The difference doesn't necessarily have to do with population density and size, it has to do with adoption of technology both in the industrial/technological and consumer bases. American companies try to milk every last dime out of a technology before they adopt anything new (HDTV sound familiar)? And even then they complain that it will cost them billions, wah, wah!
I have a great idea, bring a Japanese ISP over, snap up some of that dark fiber and see how long some of these lame ass ISP's hold out against a company wanting to actually do something for its customer base!
No kidding, there is no mention of any tweaks to increase network performance, OS performance, or even if they used jumbo packets on the Gigabit interfaces. The article basically says nothing other than based on a limited test that RedHat is better.
This should make a good "Fleecing of America" or "Your Money" episode, oh that's right, I'm talking about responsible journalism! Never mind!
It's nice to know how my tax dollars are being pissed away, and I will remember that when it is time to vote!
The Government and the military don't have to fake it, all they have to do is reclassify it. When Frank Snepp III published "Decent Interval" and it had juicy secrets like we started negotiating with North Vietnam for POW's in 1971, and when we left in 1975 we left behind enough hardware to equip a 250,000 man army for 5 years!
President Reagon signed legislation that allows the Government or military to reclassify previously unclassified materials on a whim (I can't remember off the top of my head what part of the U.S. Code was changed), but this is what they used to go after Frank Snepp.
So all anyone would have to do is wait until just before the declassification date, and request the materials be reclassified. Not that I believe in UFO's either, but I do believe that something happened out there. And the Air Force is in no big hurry for anyone outside the Government to find out!
My daughter started receiving spam almost immediately after giving her e-mail address to a few friends that have AOL or Hotmail accounts. About the only thing she hasn't received is a 419 message, everything else she has.
So I decided to examine e-mail headers and find the guilty parties (which I found were several). An I mailed these offending messages with the statement that they were received by a 12 year old! I give credit where it's due, once Hotmail and AOL were notified, as well as a Canadian marketing company that their e-mail was going to the wrong place it was stopped immediately. In the Hotmail case, it was a user who had several accounts using a variation of one name. Hotmail shut them down as fast as I could send the messages.
Yes these "people" should be punished and worse than the rest. Maybe it would send the message better than what is currently being sent!
Slashdot Mirror
Yes there are other platforms that have similar features (AIX LPAR and DLPAR, HP-UX VPAR, Solaris Dynamic Domains). The problems are (1) you have to be using recent versions of the OS for the software virtualization (AIX 5L 5.2, HP-UX 11 and 11i) or (2) have the specific hardware necessary to use the hardware virtualization (AIX, HP-UX, and Solaris). And this hardware is costly (minimum cost for a Sun Sun Fire midrange to support dynamic domains is $100,000.00).
The other reason could be that management (particularly in DoD) won't allow the use of hardware or software virtualization despite the benefits. Management could see this as a "toy" rather than a feature. Of all the documentation I have read concerning DoD, implementation, security, etc., I have never read anything about setting up or using virtualization. Not to say that some DoD activities aren't using it, but they are not well "advertised". The last Navy project I worked on we tried to deploy an Open Source monitoring solution and was basically told "we will not the first in doing anything!"
My 13 year old daughter is probably the most vicious player I have ever met! Not only does she frag you, she goes the "extra yard" by blowing up your corpse! And when we are playing death matches in Quake she will mutter things like "My name is Perfect Little Angel, how may I kill you today?"
Maybe this is what the guys are afraid of when they are playing online is that they could get their asses handed to them by "a girl".While Carly complains about the cost of labor, Dubya is trying to help out illegal aliens with his immigration plan, has anybody thought about who is going to pay for all of these high priced services and products?
And why should we listen to Carly, didn't she get a big bonus for merging with Compaq and layoff a large number of HP's workforce at the same time? I remember reading a comment that someone at HP said, something to the effect of "you can work here for free"! Maybe Carly should "work for free" and set the example for the rest of HP's workforce!
I did PowerPoint and Persuasion presentations for Joint Intelligence for four years, if what I saw on a daily basis there is any indication of the "skill" of the regular user, a lot of people need help!
The average user does not know how to make effective graphics, and even when they are assisted by someone who does, they tend to ignore their advice. some of the bigger mistakes I saw were:
A briefer handed me message traffic and said "make slides of these". I told him he had to summarize the traffic inot four or five small bullets. He looked at me as if I was nuts! This unfortunately became the norm, lots of text regardless of whether or not you could read it.
Every slide had to have a command seal in it, as if the viewer couldn't figure out where the presentation came from?
And of course the non graphics "professional" who would use such things as silly effects and screen dumps to create a presentation. I once had to come in on a Saturday to assist in a download of a 69 MB PowerPoint presentation that consisted entirely of screen dumps! And this was over a poor ISDN line so it took over three hours!
Until people are made to realize that they have no "skillz" in graphics, this kind of nonsense will continue. It makes me glad that I don't have to sit through those briefs anymore!
Yes there are a lot of contractors and Government employees who don't have a clue. The bigger problem is what guidance is given to people who have to secure those systems (particularly Unix). All Information Assurance personnel want to hear is whether the machines are C2 or not (never mind TCSEC was declared dead March 11, 1999). And this only covers auditing, so they are concerned about trust, not security.
The last project I worked on we had to use the Defense Informations Systems Agency STIG as if it was the bible of Unix security. Here is the mentality of DISA, the Solaris section covered 2.5.1, the AIX section covered 4.3 (but not 5L) and for the most part only was concerned about auditing. Check it out for yourself at:
http://csrc.nist.gov/pcig/cig.htmlIf you have administrators who are limited by inept guidance, what do you expect!
Sun by mistake made Solaris Express available for download in August, and I have been working with it since (including the monthly releases). However, to write something specific about Solaris Express you have to get your article cleared by Sun.
When you go to download it the first item in the click through user agreement is the NDA. The "What's new in Solaris Express" pdf files tell of new features, and they are released at the same time as the new release of Solaris Express. It would have been nice if they actually did a review as opposed to regurgitating the pdf files.I have been sitting back and watching the various posts over the last couple of days and I see (1) The "free as in beer" people bitching about "no more free Linux" and the (2) "free as in speech" people applauding the efforts of RedHat and SuSe.
For the "free as in beer" crowd, where do you thing SuSe got $500,000.00 to pay for Common Criteria evalaution? I'm sure that IBM wants some of that money back. The same goes for Oracle with RedHat. And actual "consultants" singing the virtues of free software now complaining that the free ride is over. If I hired a consultant who sold me this "bill of goods" they would not be a consultant for long (can you say "litigation"). This is part of the reason why I hear such nonsense from PHB's as "unfunded requirements", nothing is free, not even lunch. And anyone who says that it is is either a liar or a fool (pick one)!
For the "free as in speech" crowd I think RedHat's decision is sound, if you want to expand your offerings you will have to charge at some point. And to improve the quality of the product you will have to pay for quality staff. I only see RedHat getting better for this.
For SuSe, I hope that Novell adds functionality like eDirectory, which could have the potential to compete with Solaris (and it's built in LDAP server) and similar products.
I see all of this as a good thing, but I am sure many will not, oh well!
I'm not a lawyer either, but if the trash can is inside the mall wouldn't the trash be considered mall property and not public property? One, I would definitely talk to a lawyer and two, teach the other half not to toss private information "to the wind"!
I think you are missing the point. In any test (especially one that is going to come in under scrutiny) all information about the target for the test should be published. There is no information about the OS (other than its Linux), what running software, what tweaks have been applied, etc. Based on what little information is provided, I doubt if anyone could duplicate the results. And the information should be available so that it can be tested independently. Everybody complains about benchmarks, but few actually put up any useful information other than the results. Hardly scientific.
Is it me, or is there a lack of information about the machine the tests were run on such as why is almost all of the memory used up? Second, a system with a single disk and swap is in use? What was this guy trying to test anyhow? All this tests is basically a typical Linux box with a single drive. I wouldn't base any decision to go from one filesystem to another based on these tests!
Maybe I'm just dumb but it doesn't seem to make much sense to release new hardware without drivers optimized to take full advantage of the hardware. If you (or a hardware site) has to wait for a new driver to get the performance the vendor specifies for the hardware, I would be real leary of buying hardware from them. From what I saw of the ATI/NVIDA test, the NVIDA card was trounced, so maybe NVIDA should hold off on releasing new cards until their drivers catch up to the hardware.
Where I think the problem in post 911 security is awareness, and this is a people problem. Bruce is right, people that are more aware of their surroundings can easily notice things out of place. Instead what do we get from Wahsington, fear mongering and freedom stifling laws and legislation. The 911 attacks more than likely could not be easily duplicated since (at least in theory) we are aware of how they did it and (hopefully) in a better position to stop it. The bigger question is what are they planning to do in the future? And putting the entire population of the U.S. in under almost continuous surveillance is not the answer. It is not unlike other intelligence efforts, who is going to analyze all of that data? It wasn't all tha tlong ago that the director of the NSA stated his staff couldn't process all of the information they were gathering. Hopefully Bruce's book points out some simple steps that will actually improve security without "breaking the bank", be more effective than most of the current measures, and that some people in Washington actually read it!
Instead of going after the real "pirates" who are making money off their software, Symantec along with Microsoft and just about everybody else punish us for their "lost profits" with Product Activation. I guess it's time for me to start looking at other options for Anti-Virus software.
When I was performed photographic quality control, I ahd a reference platform and true statistically valid performance data to base any decisions on. Unfortunately hardware sites don't exactly do the same thing. They use different hardware (usually provided by the vendor or a reseller looking for a plug), and everything becomes a variable. What I was taught about analyzing anything was to eliminate variables. Most benchmarks will work as long as you create your own reference platform, specify everything used in excruiating detail (driver version, etc.) And also place a disclaimer that the test is only good based on your hardware and setup. When I read a benchmark, I use it as only a guide. I do not take the numbers literally since I cannot reproduce the test. And that is where the problem lies in hardware site benchmarking. Anyone should be able to get the specific hardware mentioned, assemble it, install the OS and run the benchmarks and get similar results. My money is they won't because of "tweaked" drivers, benchmark program versions, or hardware, software, or OS settings that do not make it into the documentation or the column for the site. The only benchmarks I pay any serious attention to is SPECInt and SPECf, because there has to be full disclosure of all options used before SPEC will approve of it.
It is great that Linux has been evaluated using Common Criteria, unfortunately there will not be a whole lot of Government agencies lining up to buy it. The standard for classified material is C2/EAL4 regardless of classification. Since Linux does not have the extended auditing that commerical Unix and Windows NT/2000/XP has, it will never get above EAL3. What I would like to see is the the Hardened Gentoo box evaluated under CC (www.gentoo.org/proj/en/hardened). I logged into this box and could basically do nothing (as root)! It uses NSA's Security Enhanced Linux and a variation of Role Based Access Control. This machine will pass muster! I can't wait for the day Linux gets EAL4, but I don't think that is coming too soon.
I don't know where you get your information on Solaris, but the downloaded version of Solaris 9 4/03 runs quite well on my dual processor Ultra 2! And mpstat shows 2 CPU's! To be "legal" with Sun you need to purchase a license based on the function of the machine you intend to run Solaris on (either Intel or Sparc). Prior to Solaris 9, Solaris 8 Intel could handle up to 8 CPU's out of the box. I am sure that is probably still the case, you just have to pay for the licenses if you use Solaris Volume Manager, multiple processors, etc.
A Government contract I previously worked on allocated IP addresses in a building with 190 developers based on workgroup! The problem was the building manager was assigning an entire subnet range to a group of say, six people. Before they replaced the hubs with switches and cut the number of subnets, this one building had 7,000 usable IP addresses for 250 computers, routers, hubs, printers, etc. I think the Government has a few IP addresses they could spare.
If Microsoft cannot actually find any of its code in OSS, are we going to see the return of "look and feel" lawsuit?
At the last 2600 meeting I attended, we joked about installing a chip to catch keystrokes into a keyboard. What if this was done instead of a piece of software? And who knows if something like this has been done or not. The "man on the street" does not understand one iota of computer security, so why should a public kiosk computer be any different than his home PC? As long as it does not affect them in any way they do not care! This is a wakeup call for "joe sixpack", do not trust any public PC (I don't).
The difference doesn't necessarily have to do with population density and size, it has to do with adoption of technology both in the industrial/technological and consumer bases. American companies try to milk every last dime out of a technology before they adopt anything new (HDTV sound familiar)? And even then they complain that it will cost them billions, wah, wah! I have a great idea, bring a Japanese ISP over, snap up some of that dark fiber and see how long some of these lame ass ISP's hold out against a company wanting to actually do something for its customer base!
No kidding, there is no mention of any tweaks to increase network performance, OS performance, or even if they used jumbo packets on the Gigabit interfaces. The article basically says nothing other than based on a limited test that RedHat is better.
This should make a good "Fleecing of America" or "Your Money" episode, oh that's right, I'm talking about responsible journalism! Never mind! It's nice to know how my tax dollars are being pissed away, and I will remember that when it is time to vote!
Already has been done: http://totl.net/Eunuch/
The Government and the military don't have to fake it, all they have to do is reclassify it. When Frank Snepp III published "Decent Interval" and it had juicy secrets like we started negotiating with North Vietnam for POW's in 1971, and when we left in 1975 we left behind enough hardware to equip a 250,000 man army for 5 years! President Reagon signed legislation that allows the Government or military to reclassify previously unclassified materials on a whim (I can't remember off the top of my head what part of the U.S. Code was changed), but this is what they used to go after Frank Snepp. So all anyone would have to do is wait until just before the declassification date, and request the materials be reclassified. Not that I believe in UFO's either, but I do believe that something happened out there. And the Air Force is in no big hurry for anyone outside the Government to find out!
My daughter started receiving spam almost immediately after giving her e-mail address to a few friends that have AOL or Hotmail accounts. About the only thing she hasn't received is a 419 message, everything else she has. So I decided to examine e-mail headers and find the guilty parties (which I found were several). An I mailed these offending messages with the statement that they were received by a 12 year old! I give credit where it's due, once Hotmail and AOL were notified, as well as a Canadian marketing company that their e-mail was going to the wrong place it was stopped immediately. In the Hotmail case, it was a user who had several accounts using a variation of one name. Hotmail shut them down as fast as I could send the messages. Yes these "people" should be punished and worse than the rest. Maybe it would send the message better than what is currently being sent!