The conspiracy is an abstract notion who's concrete manifistations are the conversation and the passing of the gun, in the example given. Both of these are illegal acts. A conversation can be illegal insofar as it constitutes an illegal act. Remember that the first amendment famously doesn't allow you to cry "fire" in a crowded theater. Not all speech is legal, nor are all conversations.
For instance, at the rate we're going, I fully expect to see laws against two people conversing face-to-face and in private in my lifetime.
No need to wait for that. A fictional, but plausible illegal conversation, circa 1865:
Conspirator 1: Psst, John, here's the gun. When are you going to do it? Conspirator 2: Right after act one of "Our American Cousins!"
Conspiracy is illegal, of course. It the content of a conversation conveys information that furthers a conspiracy, then the conversation is illegal. For example, it would be illegal for me to to tell you when I was going to commit a murder so you could make sure my getaway car, er, horse, was parked outside Ford's theater at the right time.
SCO's latest press release doesn't accuse anyone. The discussions at Groklaw seem to assume they will at some point accuse the FOSS community. I think this may be based on previous SCO behavior, but I'm not sure.
As to SCO attacking itself, the scenario most folks have been discussing involves running an attack script on the network the attacked servers inhabit. This would produce "backscatter" indistinguishable from a real attack. The problem with this is that the upstream provider would only see the outbound ACKs from SCO, with no corresponding inbound SYN packets. Since the attack involves saturating the victim's bandwidth, these inbound flows would be substantial. The attack of December 4/5 featured filtering of traffic inbound to SCO at multiple points in xo.net. This was clearly an attempt to keep multiple attack flows off XO's network. They almost certainly wouldn't do this unless they saw the actual flows. Ergo, the attack did not originate from SCO's network.
I too think that the lack of continuous network based aggression against SCO speaks well of the community. Surely there are many of us who could mount such an attack if we cared to. Good point about ex-Caldera Linux heads. Though if I had been in the position of a Caldera employee facing transition to the new SCO *ahem* culture, I would have bailed out early on.
These guys are easy to despise. But I worry they may have a little more punch than we are giving them credit for. The same myopia that makes it impossible for some to credit any truth at all in SCO's statements contributes to denial about the potency of their case against IBM. Yes, the code samples that have emerged publically are laughable. And yes, SCO has made outrageous claims and has been caught out in many lies. But public statements, though they may have some impact in court, will not decide the legal issue in Utah. It may well be that SCO has no cards to show. Or perhaps they've been sandbagging. We should get our first glimpse at what they have next month. But if SCO's case doesn't go down to a motion to dismiss by IBM after the first round of discovery, then we are in for a long, hard slog in this case, with the outcome in doubt.
Why does this matter? Well, for one thing, it would undercut the committment of IBM to FOSS. And they are doing lots of good stuff that I'd hate to see cut back. Second, it would be disruptive, though not fatally so, to Linux as offending code is ripped out and corporate users scramble to replace their "infringing" kernels with new ones. (I don't give SCO any chance at all of getting widespread licensing deals with end users.) Third, success by SCO would open the floodgates of further litigation . Fourth, and most serious, it would add momentum to the enemies of the intellectual commons.
So, I worry. There's not a damned thing I can do about it, but I worry anyway.
All this happens, and then SCO suddenly becomes 'victimized by all these EVIL Open Source people'...
I think that you accurately portray the mindset of the folks that can't believe that SCO ever tells the truth.
There's a corrollary to that idea: "Open Source people" would never stoop so low as to mount such an attack on SCO. That's as false as the idea that SCO doesn't have a prayer in court. The group is just too large, and it only takes one or two jerks.
Responsible FOSS people are not responsible because they support FOSS, that was very likely a pre-existing condition.
Maybe. And maybe they grew up while they were about the business of living, too.
Anyone care to guess the median age of all the folks that have attacked SCO thus far? (It should be fun, since nobody can get the hard data, yet at least. Ooops. I guess that was immature. 8)
I believe It's a knee-jerk reaction to the threat that SCO is posing to Linux and the GPL, combined with its public record of lying. The history of Unix is a tangle that Gordius of Phyrigia would be satisfied with. Interpreting IBM's rights amid the confusing welter of licenses and side agreements will not be easy, and the outcome is not so tidily in the bag as some seem to hope. PJ at Groklaw has provided lots of useful and interesting research. I read Groklaw daily. But it's obvious that Groklaw is also an advocacy site, among other things, much as Slashdot is. I worry that PJ's biases might lead her to miss important information from time to time. Since I'd like to see SCOG fail and be ground into the earth by IBM, I'd prefer she had the clearest vision possible.
I have no evidence that Groklaw is missing tricks due to bias. It's just a worry of mine. The "SCO must be lying" bias at Groklaw and here is unmistakeable, however.
Missed this headline which is identical to the title of the story on Groklaw. Still, it was the "SCO is completely screwed and can never win" dittoheads that ran away with the idea that the DDOS was a hoax, not the Slashdot editors. (However I'm sure there's some overlap between the groups. 8)
The headline was SCO Group Web Site Attacked Again Which, it turns out was correct. Lots of folks read Groklaw, or posted to both Slashdot and Groklaw, doubting that the attack was real. As I said over there:
I haven;t (sic) seen an explanation for the fact the earlier traceroutes stopped at multiple points in xo.net. Thos (sic) seem to indicate that there was filtering going on upstrean from SCO. This is a reasonable response to a DDOS by a backbone provider. That would also explain why there was now (sic) bandwidth problem on other systems close to www.sco.com. The putative attack traffic was never reaching SCO's colo.
We should resist the temptation to believe that everything SCO says is a lie, just because most things are. This could blind us to real threats from SCO, if they exist.
Bingo! That major benefit of the GPL for individuals also works for businesses, if they have the right approach.
(Disclaimer: I work for IBM, but these are solely my opinions. They in no way represent official IBM policies. They could even be dead wrong.)
One of the advantages of a proprietary OS (or any other software) is that the proprieter get's to claim that they know it best, since only they have the source, and since the engineering team that wrote it works for the company. One of the fears a company considering use of FOSS in their products might feel is that the 'we know it best" advantage would be lost. Another concern is that the code the hypothetical company would release could end up aiding competitors. IBM is betting that "we know it best" will still have some meaning when dealing with Linux. The company is hiring the best people they can, and making them available to lowly field grunts like me. And it appears to me that they are using the GPL partly because it prevents a competitor from building on IBM's code, and then distributing the result in closed-source form. If improvements are made by a competitor, (or anyone) then IBM gets to reap the benefits along with everyone else.
Note that this is the exact opposite result that the Microsoft anti-GPL FUD would lead you to expect.
1) You can't buy a IBM Thinkpad unless it comes with Windows. That 'old "Microsoft tax"
Sad, but true.
2) IBM can't be bothered to support FreeBSD on their laptops. Public case in point - the use of Type 165 for the partition that held the backup info. Private case - IBM staffer claimed they'd help with a USB implementation issue on one type of Thinkpad. (The USB doesn't work at all with FreeBSD and the only way Linux works is if you force the probe order in some wonky way.)
That's not the case with current ThinkPads. And though it was an inexcusable blunder when they initially committed it, IBM fixed the problem with a BIOS update 3-4 months after they were pummeled by the FreeBSD community (Link to my 2 cents worth of pummeling.)
3) Many of the new style Thinkpads come with the Intel wireless - the one only supported under Windows.
Of course, that's the case with any Centrino based laptop out there. It's Intel's worry, not IBM's.
I'll believe IBM cares about Open Source when they address the 3 above. Otherwise its the swapping of one corporate master for another.
Corporations are fictional legal persons. They don't "care" about anything. People within corporations do. A lot of people within IBM care about open source. Andrew Tridgell works for IBM, for example. IBM has embraced Open Source for a variety of reasons, but in my opinion they all boil down to this: Free and Open Source Software gives IBM an advantage over its rivals in the competition to sell Information Technology to global business. IBM will attempt to assist its customers in saving money through the use of
Cheap hardware. This means Intel and AMD today. In the future, it could mean Power, if the latest supercomputer offering is any indication.
Cheap(er) Software. This avoids the Microsoft tax and "sticks it to" a major competitor. IBM isn't pretending that free-as-in-beer software is actually cost free.
Superior services. IGS is poised to win a lot of business helping customers realize cost savings by switching to the first two bullets.
IBM has lots of other irons in the fire with regard to Linux, but those are the ones I see most clearly. The fact that they are focussing on Linux and not FreeBSD is a function of the marketplace. Linux is the OS that the largest percentage of the FOSS community has gotten behind. IBM wishes to leverage this energy for its own purposes.
This may be cynical, but consider that the effort has resulted in substantial (many 100's of millions of dollars worth of) contributions of code by IBM to Linux, Java and many other projects, the hiring of many FOSS authors, to work on their own projects, substantial direct cash support for OSDL and others and the hiring of lots of folks who really do care about FOSS, though they may not be codejockies.
Finally, IBM is fighting a lawsuit aimed at stopping the forward momentum of Linux, and by extension, the rest of FOSS. One result of this suit could be the legal validation of the GPL, which would be a huge step forward for the entire community, even those that prefer the BSD or some other license.
So, IBM may be pursuing its own interests, but they are making a lot of moves that hugely benifit FOSS. The committment is long-term, but even if it weren't, what IBM has done up to now deserves recognition.
Disclaimer: I now work for IBM. But I made my decision to join them by considering the points I just made.
That's possible, but difficult. The bogus tags themselves reveal why that's so. They are not valid HTML, but they have the form of valid closing tags. Though I don't know the pre-XML (read fairly current) HTML spec very well, and being too lazy to look it up at this hour, I nevertheless seem to recall that it says browsers should ignore tags they don't recognize. In any event, browsers are notoriously liberal about what they will render, so as to make the "user experience" nicer, and the job of standardization impossible. 8) All of this makes it tough to strip out bogosities. However I think that it's a requirement to do that if Bayesian filtering is to survive the current round of slime-bucket SPAM-mongering countermeasures.
The other countermeasure I've seen get through SpamAssassin is stuff like this:
Hey, how's it going? You know, you were right about <a href="slime-sucking-spam-site.com">that site!</a> They <em>do</em> have erection meds for much less. How do you think they get away with it?
Cheers,
Your low-life SPAM-sluicing buddy.
This was predicted in Paul Graham's original Plan for Spam. Quoting:
To beat Bayesian filters, it would not be enough for spammers to make their emails unique or to stop using individual naughty words. They'd have to make their mails indistinguishable from your ordinary mail. And this I think would severely constrain them. Spam is mostly sales pitches, so unless your regular mail is all sales pitches, spams will inevitably have a different character.
There's still grist for the Bayesian mill in messages like the example, but it's thin grist, indeed.
It would have to be the latter, since the tag text could be any dictionary word whatsoever, except some currently open tag.
Assigning a high score merely to "bogus" closing tags would be bad too, because of XML. You could score a large number of poorly formed (in the XML sense) tags as suspect. Doing so for only one or two might catch fat-fingered, but otherwise innocent coders. 8)
I'm already getting SPAM that gets through SpamAssasin's Bayesian filter. They include lots of non-spammish words as white text on a white background. Then they break up the SPAM spew with unbalanced, bogus closing tags. For example:
which helpful HTML renderers will print in glorious spamavision. (As Slashdot's did until I enclosed the example in an ecode block.)
Your point is well taken. If you come up with a suite of questions. the spammer can come up with a suite of responses. If you change the questions, it gives you relief for a while, but then the spammers will catch up. The problem is, questions that a computer can't do semantic analysis on can't be generated by computer, either.
Possibly by the time Longhorn SP1 comes out, in about 2006, they will have pretty much sorted out the security problem.
In Longhorn (or whatever version theoretically becomes secure) perhaps. But there are businesses still running DOS. Win9x still has a significant presence in the business workplace, not to mention home use. This legacy will not change fast enough to save them from the consequences of their earlier shortsightedness.
This had better be a temporary endeavor conducted in parallel with major shifts toward better busines practices, or MS is starting the downward spiral.
Yes, yes and not exactly.
My impression is that Microsoft is fully engaged in attempting to address their security problems. They will persue both tracks you mention, and any others that present themselves, to try and get a handle on the situation. However, I disagree that this is the beginning of a downward spiral for Microsoft. The hits they are taking now are the result of shortsighted, marketing decisions of many, many year's standings. If lack of security in Microsoft's software really does result in a downward spiral, then the beginning of that spiral has to be dated from those decisions.
Seriously, now is when we find out which model of software development really is more secure. Results like these will energize Microsft's management to try and address security even more forcefully. My money is on FOSS, but we'll actually get to see how it plays out in the real world.
OK, it was h I was missing there. Calendaring, or the meetings it facilitates, certainly takes me away from my real work. But actually attending those meetings seems to help keep me employed. Go figure.
I suppose what you are saying is that one response to a widespread virus attack on cxoffice could be to change the WINE loader to do all sorts of security checks, and that it's possible to be clever about running programs under that loader. I guess you could say the same about Windows itself, though. We would have the Source on our side on Linux, but that's still reactive, isn't it? I'm not talking about a VBA or VBScript virus such as the common run on Windows today, though that could be a vector. I'm postulating a virus that is aware that it is running on WINE, which shouldn't be all that hard to figure out, even from VBScript. What's to stop such a virus on cxoffice today from escaping the fake_windows root and causing mischief among all my MP3^H^H^Himportant work files?
Outlook is the only solution that will get you on board with the calendaring and other features besides email.
turn into
So you also get a big productivity boost as long as you use anything other than Outlook.
?
I will choose not to use Outlook when I have a choice! When I don't have a choice, Outlook is more productive because the alternative is not getting the job done. It's sad, but a fact of life.
I don't know that much about WINE's internals, so I could be off base. But it seems like the fact that the virtualization is API translation instead of machine emulation means that an attacker has somewhat less in the way before getting to the host OS. The Y: drive is one example. Probing localhost for services is another. Even if their aren't overt or covert ways to get at the Linux API directly from within WINE, holes like that are a concern.
I too think we are mostly in agreement. It's just fun to chew the fat on Slashdot. 8)
Eh. Evolution is pretty much there for most users, IMHO. And there are lots of other options. A great number of people don't need or want a ball of bloatware to send read their e-mail.
I certainly don't. But sometimes, I don't have a choice. If the groupware platform is Exchange, and they don't support the web interface, and it's not Exchange 2000, Outlook is the only solution that will get you on board with the calendaring and other features besides email. If you want to use Linux, then either VMWare or cxoffice are your choices. I use Evolution at home and at my current work assignment. But if I had to use Outlook to get my work done, I would. And I'd use cxoffice in preference to VMWare for performance reasons. I've seen very large companies recently in the same boat, so that's why I call Outlook the "killer app" for cxoffice.
And here is where I see the advantage of emulators. I could remove this, move it, protect it with a pop-up verification, honey-pot it, or do whatever else I wanted.
Well, the Y: drive is cute, but it's also useful. So disabling it is probably smart, but also inconvenient. (There's the old usability/security ratio again.) And since WINE as a platform is more transparent than native Win32, measures you take can be more easily countered by the bad guys. Like, for example, a virus could respond to your protective pop-up. They won't do that if you have implemented your own custom protective measure, but if it's part of cxoffice, they will.
I think this issue is part of the general problem that Linux is headed toward a tough time with malware as it gets to be more widespread on the desktop. The platform is undoubtably more secure than Windows for a variety of reasons. But that doesn't suspend the scaling problem systems face wherein an attacker just has to find one flaw, and system architects, administrators and users have to defend against all possible flaws. Adding Windows apps to the mix increases "all possible flaws" by a large increment.
I wonder why I'm not thrilled at the prospect of patching buggy Windows software so it will run safely on Linux.
In my experience, the most common application running under cxoffice is Outlook. It's sort of CodeWeaver's "killer app." As others have noted, running as non-root doesn't protect you from a virus that is aware of WINE, and takes advantage of the network connectivity of your box to propogate itself, or worse.
I notice that there is this cute "Y" drive under cxoffice that is a window (heh) on to your ~/. Now a WINE aware virus has some local fies to play with that aren't part of the API compatibility layer. Do you have a ~/bin? Seems like a good place to slip in a trojan. And I don't know about you, but the most important files on my laptop aren't owned by root, they're owned by me. Also, consider this: cracking a box from the network is generally more difficult than rooting it once you are local. WINE running Outlook or IE would seem to be an attractive target, but for the fact that it is still not widespread enough to attract much attention.
I have run Outlook under cxoffice at jobs whose corporate email was Exchange, so I understand the motivation. (Thank god that's not the case at my current work site.) And while it may be true that the availibility of Windows apps on Linux reduces demand for competitive native versions, I know from direct experience that cxoffice figures prominently in plans for very large rollouts of Linux on the desktop, and that is a good thing for the Penguin. However, I do think that as cxoffice gets more penetration, along with Linux, we will see more successful exploits of the technology to do bad things. Of course, that may provide the drive for competitive products that cxoffice hypothetically reduces.
Thise are the two that stood out for me, too. I have vast respect for both gentlemen. And it's based on years of watching their work product.
The political angles aside, what they are saying is just common sense. They are talking about the vast majority of computing power being at the periphery of the network. That means at home, on your desk, in your plamtop and cell phone. The number of vulnerable servers, of whatever stripe, is just swamped by the vast numbers of desktop devices. And 90-97% (depending on whose stats you believe) of those systems run Microsoft OSen. When a worm is turned loose targeting those systems, it spreads like wildfire. They call it "cascade failure." These systems then turn around and attack systems at the core of the network. At that point, it doesn't matter what OS those core systems are running. They are very likely to be toast, regardless.
They also make the point that Microsoft systems are uniquely vulnerable because of the malodorous pile of layered marketing driven technology decisions, and the tight integration of Microsoft's applocations and OS software. That last point should be obvious, too. If your interfaces are loosly coupled, it's easier decouple them when malware hits.
Sophos's anti-virus technology will be integrated with PureMessage, ActiveState's enterprise email protection software, to deliver industry-leading anti-virus and anti-spam protection in a single, consolidated solution - Sophos PureMessage. PureMessage currently supports AIX, HP-UX, FreeBSD, Linux and Solaris. For more information please see http://www.sophos.com/products/pm/
So the real news here is that the hole created by Microsoft's purchase of RAV is about to be filled. Since ActiveState's relationship with Microsoft is important for their tools this could impact that relationship.
If Intel ACTUALLY had a 64-bitter coming out soon, they'd be trumpeting it like it was the Second Coming.
There's that multi-billion dollar investment in Itanium to think about not to mention the partneships Intel has tried to build around the chip.
This is all about the server market. Itanium is expensive because it requires all new software. It's performance has been disappointing too. That has recently improved, they actually beat Opteron in the tests I've seen on 64-bit code. But Opteron's value proposition is that it runs current 32-bit apps and new 64 bit ones at the same time. So you can spread out that 6-9 figure investment in new software over a longer period than just a few quarters.
What Intel really needs to do is to add ia32 compatibility to ia64 in the silicon. Then they could run the old cruft at speeds competitive with Opteron, while still offering a path forward out of the horrid architecture they, and the market, have tortured the world with for 20 years
Slashdot Mirror
The conspiracy is an abstract notion who's concrete manifistations are the conversation and the passing of the gun, in the example given. Both of these are illegal acts. A conversation can be illegal insofar as it constitutes an illegal act. Remember that the first amendment famously doesn't allow you to cry "fire" in a crowded theater. Not all speech is legal, nor are all conversations.
For instance, at the rate we're going, I fully expect to see laws against two people conversing face-to-face and in private in my lifetime.
No need to wait for that. A fictional, but plausible illegal conversation, circa 1865:
Conspirator 1: Psst, John, here's the gun. When are you going to do it?
Conspirator 2: Right after act one of "Our American Cousins!"
Conspiracy is illegal, of course. It the content of a conversation conveys information that furthers a conspiracy, then the conversation is illegal. For example, it would be illegal for me to to tell you when I was going to commit a murder so you could make sure my getaway car, er, horse, was parked outside Ford's theater at the right time.
As to SCO attacking itself, the scenario most folks have been discussing involves running an attack script on the network the attacked servers inhabit. This would produce "backscatter" indistinguishable from a real attack. The problem with this is that the upstream provider would only see the outbound ACKs from SCO, with no corresponding inbound SYN packets. Since the attack involves saturating the victim's bandwidth, these inbound flows would be substantial. The attack of December 4/5 featured filtering of traffic inbound to SCO at multiple points in xo.net. This was clearly an attempt to keep multiple attack flows off XO's network. They almost certainly wouldn't do this unless they saw the actual flows. Ergo, the attack did not originate from SCO's network.
I too think that the lack of continuous network based aggression against SCO speaks well of the community. Surely there are many of us who could mount such an attack if we cared to. Good point about ex-Caldera Linux heads. Though if I had been in the position of a Caldera employee facing transition to the new SCO *ahem* culture, I would have bailed out early on.
These guys are easy to despise. But I worry they may have a little more punch than we are giving them credit for. The same myopia that makes it impossible for some to credit any truth at all in SCO's statements contributes to denial about the potency of their case against IBM. Yes, the code samples that have emerged publically are laughable. And yes, SCO has made outrageous claims and has been caught out in many lies. But public statements, though they may have some impact in court, will not decide the legal issue in Utah. It may well be that SCO has no cards to show. Or perhaps they've been sandbagging. We should get our first glimpse at what they have next month. But if SCO's case doesn't go down to a motion to dismiss by IBM after the first round of discovery, then we are in for a long, hard slog in this case, with the outcome in doubt.
Why does this matter? Well, for one thing, it would undercut the committment of IBM to FOSS. And they are doing lots of good stuff that I'd hate to see cut back. Second, it would be disruptive, though not fatally so, to Linux as offending code is ripped out and corporate users scramble to replace their "infringing" kernels with new ones. (I don't give SCO any chance at all of getting widespread licensing deals with end users.) Third, success by SCO would open the floodgates of further litigation . Fourth, and most serious, it would add momentum to the enemies of the intellectual commons.
So, I worry. There's not a damned thing I can do about it, but I worry anyway.
I think that you accurately portray the mindset of the folks that can't believe that SCO ever tells the truth.
There's a corrollary to that idea: "Open Source people" would never stoop so low as to mount such an attack on SCO. That's as false as the idea that SCO doesn't have a prayer in court. The group is just too large, and it only takes one or two jerks.
Maybe. And maybe they grew up while they were about the business of living, too.
Anyone care to guess the median age of all the folks that have attacked SCO thus far? (It should be fun, since nobody can get the hard data, yet at least. Ooops. I guess that was immature. 8)
I believe It's a knee-jerk reaction to the threat that SCO is posing to Linux and the GPL, combined with its public record of lying. The history of Unix is a tangle that Gordius of Phyrigia would be satisfied with. Interpreting IBM's rights amid the confusing welter of licenses and side agreements will not be easy, and the outcome is not so tidily in the bag as some seem to hope. PJ at Groklaw has provided lots of useful and interesting research. I read Groklaw daily. But it's obvious that Groklaw is also an advocacy site, among other things, much as Slashdot is. I worry that PJ's biases might lead her to miss important information from time to time. Since I'd like to see SCOG fail and be ground into the earth by IBM, I'd prefer she had the clearest vision possible.
I have no evidence that Groklaw is missing tricks due to bias. It's just a worry of mine. The "SCO must be lying" bias at Groklaw and here is unmistakeable, however.
Missed this headline which is identical to the title of the story on Groklaw. Still, it was the "SCO is completely screwed and can never win" dittoheads that ran away with the idea that the DDOS was a hoax, not the Slashdot editors. (However I'm sure there's some overlap between the groups. 8)
Bingo! That major benefit of the GPL for individuals also works for businesses, if they have the right approach.
(Disclaimer: I work for IBM, but these are solely my opinions. They in no way represent official IBM policies. They could even be dead wrong.)
One of the advantages of a proprietary OS (or any other software) is that the proprieter get's to claim that they know it best, since only they have the source, and since the engineering team that wrote it works for the company. One of the fears a company considering use of FOSS in their products might feel is that the 'we know it best" advantage would be lost. Another concern is that the code the hypothetical company would release could end up aiding competitors. IBM is betting that "we know it best" will still have some meaning when dealing with Linux. The company is hiring the best people they can, and making them available to lowly field grunts like me. And it appears to me that they are using the GPL partly because it prevents a competitor from building on IBM's code, and then distributing the result in closed-source form. If improvements are made by a competitor, (or anyone) then IBM gets to reap the benefits along with everyone else.
Note that this is the exact opposite result that the Microsoft anti-GPL FUD would lead you to expect.
Sad, but true.
2) IBM can't be bothered to support FreeBSD on their laptops. Public case in point - the use of Type 165 for the partition that held the backup info. Private case - IBM staffer claimed they'd help with a USB implementation issue on one type of Thinkpad. (The USB doesn't work at all with FreeBSD and the only way Linux works is if you force the probe order in some wonky way.)
That's not the case with current ThinkPads. And though it was an inexcusable blunder when they initially committed it, IBM fixed the problem with a BIOS update 3-4 months after they were pummeled by the FreeBSD community (Link to my 2 cents worth of pummeling.)
3) Many of the new style Thinkpads come with the Intel wireless - the one only supported under Windows.
Of course, that's the case with any Centrino based laptop out there. It's Intel's worry, not IBM's.
I'll believe IBM cares about Open Source when they address the 3 above. Otherwise its the swapping of one corporate master for another.
Corporations are fictional legal persons. They don't "care" about anything. People within corporations do. A lot of people within IBM care about open source. Andrew Tridgell works for IBM, for example. IBM has embraced Open Source for a variety of reasons, but in my opinion they all boil down to this: Free and Open Source Software gives IBM an advantage over its rivals in the competition to sell Information Technology to global business. IBM will attempt to assist its customers in saving money through the use of
IBM has lots of other irons in the fire with regard to Linux, but those are the ones I see most clearly. The fact that they are focussing on Linux and not FreeBSD is a function of the marketplace. Linux is the OS that the largest percentage of the FOSS community has gotten behind. IBM wishes to leverage this energy for its own purposes.
This may be cynical, but consider that the effort has resulted in substantial (many 100's of millions of dollars worth of) contributions of code by IBM to Linux, Java and many other projects, the hiring of many FOSS authors, to work on their own projects, substantial direct cash support for OSDL and others and the hiring of lots of folks who really do care about FOSS, though they may not be codejockies.
Finally, IBM is fighting a lawsuit aimed at stopping the forward momentum of Linux, and by extension, the rest of FOSS. One result of this suit could be the legal validation of the GPL, which would be a huge step forward for the entire community, even those that prefer the BSD or some other license.
So, IBM may be pursuing its own interests, but they are making a lot of moves that hugely benifit FOSS. The committment is long-term, but even if it weren't, what IBM has done up to now deserves recognition.
Disclaimer: I now work for IBM. But I made my decision to join them by considering the points I just made.
The other countermeasure I've seen get through SpamAssassin is stuff like this:This was predicted in Paul Graham's original Plan for Spam. Quoting:
There's still grist for the Bayesian mill in messages like the example, but it's thin grist, indeed.
It would have to be the latter, since the tag text could be any dictionary word whatsoever, except some currently open tag.
Assigning a high score merely to "bogus" closing tags would be bad too, because of XML. You could score a large number of poorly formed (in the XML sense) tags as suspect. Doing so for only one or two might catch fat-fingered, but otherwise innocent coders. 8)
Your point is well taken. If you come up with a suite of questions. the spammer can come up with a suite of responses. If you change the questions, it gives you relief for a while, but then the spammers will catch up. The problem is, questions that a computer can't do semantic analysis on can't be generated by computer, either.
Possibly by the time Longhorn SP1 comes out, in about 2006, they will have pretty much sorted out the security problem.
In Longhorn (or whatever version theoretically becomes secure) perhaps. But there are businesses still running DOS. Win9x still has a significant presence in the business workplace, not to mention home use. This legacy will not change fast enough to save them from the consequences of their earlier shortsightedness.
This had better be a temporary endeavor conducted in parallel with major shifts toward better busines practices, or MS is starting the downward spiral.
Yes, yes and not exactly.
My impression is that Microsoft is fully engaged in attempting to address their security problems. They will persue both tracks you mention, and any others that present themselves, to try and get a handle on the situation. However, I disagree that this is the beginning of a downward spiral for Microsoft. The hits they are taking now are the result of shortsighted, marketing decisions of many, many year's standings. If lack of security in Microsoft's software really does result in a downward spiral, then the beginning of that spiral has to be dated from those decisions.
Truth and Justice cannot be forever denied!
Seriously, now is when we find out which model of software development really is more secure. Results like these will energize Microsft's management to try and address security even more forcefully. My money is on FOSS, but we'll actually get to see how it plays out in the real world.
By the transform Joke(p,h) --> p' .
OK, it was h I was missing there. Calendaring, or the meetings it facilitates, certainly takes me away from my real work. But actually attending those meetings seems to help keep me employed. Go figure.
I suppose what you are saying is that one response to a widespread virus attack on cxoffice could be to change the WINE loader to do all sorts of security checks, and that it's possible to be clever about running programs under that loader. I guess you could say the same about Windows itself, though. We would have the Source on our side on Linux, but that's still reactive, isn't it? I'm not talking about a VBA or VBScript virus such as the common run on Windows today, though that could be a vector. I'm postulating a virus that is aware that it is running on WINE, which shouldn't be all that hard to figure out, even from VBScript. What's to stop such a virus on cxoffice today from escaping the fake_windows root and causing mischief among all my MP3^H^H^Himportant work files?
I will choose not to use Outlook when I have a choice! When I don't have a choice, Outlook is more productive because the alternative is not getting the job done. It's sad, but a fact of life.
I don't know that much about WINE's internals, so I could be off base. But it seems like the fact that the virtualization is API translation instead of machine emulation means that an attacker has somewhat less in the way before getting to the host OS. The Y: drive is one example. Probing localhost for services is another. Even if their aren't overt or covert ways to get at the Linux API directly from within WINE, holes like that are a concern.
I too think we are mostly in agreement. It's just fun to chew the fat on Slashdot. 8)
I certainly don't. But sometimes, I don't have a choice. If the groupware platform is Exchange, and they don't support the web interface, and it's not Exchange 2000, Outlook is the only solution that will get you on board with the calendaring and other features besides email. If you want to use Linux, then either VMWare or cxoffice are your choices. I use Evolution at home and at my current work assignment. But if I had to use Outlook to get my work done, I would. And I'd use cxoffice in preference to VMWare for performance reasons. I've seen very large companies recently in the same boat, so that's why I call Outlook the "killer app" for cxoffice.
Well, the Y: drive is cute, but it's also useful. So disabling it is probably smart, but also inconvenient. (There's the old usability/security ratio again.) And since WINE as a platform is more transparent than native Win32, measures you take can be more easily countered by the bad guys. Like, for example, a virus could respond to your protective pop-up. They won't do that if you have implemented your own custom protective measure, but if it's part of cxoffice, they will.
I think this issue is part of the general problem that Linux is headed toward a tough time with malware as it gets to be more widespread on the desktop. The platform is undoubtably more secure than Windows for a variety of reasons. But that doesn't suspend the scaling problem systems face wherein an attacker just has to find one flaw, and system architects, administrators and users have to defend against all possible flaws. Adding Windows apps to the mix increases "all possible flaws" by a large increment.
I wonder why I'm not thrilled at the prospect of patching buggy Windows software so it will run safely on Linux.
In my experience, the most common application running under cxoffice is Outlook. It's sort of CodeWeaver's "killer app." As others have noted, running as non-root doesn't protect you from a virus that is aware of WINE, and takes advantage of the network connectivity of your box to propogate itself, or worse.
I notice that there is this cute "Y" drive under cxoffice that is a window (heh) on to your ~/. Now a WINE aware virus has some local fies to play with that aren't part of the API compatibility layer. Do you have a ~/bin? Seems like a good place to slip in a trojan. And I don't know about you, but the most important files on my laptop aren't owned by root, they're owned by me. Also, consider this: cracking a box from the network is generally more difficult than rooting it once you are local. WINE running Outlook or IE would seem to be an attractive target, but for the fact that it is still not widespread enough to attract much attention.
I have run Outlook under cxoffice at jobs whose corporate email was Exchange, so I understand the motivation. (Thank god that's not the case at my current work site.) And while it may be true that the availibility of Windows apps on Linux reduces demand for competitive native versions, I know from direct experience that cxoffice figures prominently in plans for very large rollouts of Linux on the desktop, and that is a good thing for the Penguin. However, I do think that as cxoffice gets more penetration, along with Linux, we will see more successful exploits of the technology to do bad things. Of course, that may provide the drive for competitive products that cxoffice hypothetically reduces.
Thise are the two that stood out for me, too. I have vast respect for both gentlemen. And it's based on years of watching their work product.
The political angles aside, what they are saying is just common sense. They are talking about the vast majority of computing power being at the periphery of the network. That means at home, on your desk, in your plamtop and cell phone. The number of vulnerable servers, of whatever stripe, is just swamped by the vast numbers of desktop devices. And 90-97% (depending on whose stats you believe) of those systems run Microsoft OSen. When a worm is turned loose targeting those systems, it spreads like wildfire. They call it "cascade failure." These systems then turn around and attack systems at the core of the network. At that point, it doesn't matter what OS those core systems are running. They are very likely to be toast, regardless.
They also make the point that Microsoft systems are uniquely vulnerable because of the malodorous pile of layered marketing driven technology decisions, and the tight integration of Microsoft's applocations and OS software. That last point should be obvious, too. If your interfaces are loosly coupled, it's easier decouple them when malware hits.
Remember"Nothing sucks like a Vax?"
Vax vacuum, that is. The slogan for the British vacuum cleaner company was the source of much hilarity at many DECUSen. 8)
Sophos's anti-virus technology will be integrated with PureMessage, ActiveState's enterprise email protection software, to deliver industry-leading anti-virus and anti-spam protection in a single, consolidated solution - Sophos PureMessage. PureMessage currently supports AIX, HP-UX, FreeBSD, Linux and Solaris. For more information please see http://www.sophos.com/products/pm/
So the real news here is that the hole created by Microsoft's purchase of RAV is about to be filled. Since ActiveState's relationship with Microsoft is important for their tools this could impact that relationship.
If Intel ACTUALLY had a 64-bitter coming out soon, they'd be trumpeting it like it was the Second Coming.
There's that multi-billion dollar investment in Itanium to think about not to mention the partneships Intel has tried to build around the chip.
This is all about the server market. Itanium is expensive because it requires all new software. It's performance has been disappointing too. That has recently improved, they actually beat Opteron in the tests I've seen on 64-bit code. But Opteron's value proposition is that it runs current 32-bit apps and new 64 bit ones at the same time. So you can spread out that 6-9 figure investment in new software over a longer period than just a few quarters.
What Intel really needs to do is to add ia32 compatibility to ia64 in the silicon. Then they could run the old cruft at speeds competitive with Opteron, while still offering a path forward out of the horrid architecture they, and the market, have tortured the world with for 20 years