They sue whoever is profiting the most from the use of the "infringing" software. In other words, the projects might be safe,by virtue of not having economic gain from the infringement, but the users and developers, who presumably would be profiting, might be targets.
IANAL, but before you use the case of SCO threatening users to refute me, remember their threats are based on copyright law. Since the users are not, by and large, distributing Linux, that threat is ridiculous. Patent law is a different animal, however.
Also, I have no knowledge of, and therefore no opinion on, the Microsoft patents in question.
To their credit, Microsoft has started getting out in front of many of the problems caused by their buggy software. But, as I commented last year, they are a victim of all the stupid, short sighted decisons favoring marketing glitz over technology that they have made over the years. That installed base is a millstone around their neck.
I don't think they feel that each new bug is the last one. Gone are the days when Microsoft could ignore security issues without a direct negative impact on their bottom line.
FUD and truth are not necessarily disjoint.
Good point.
Can Microsoft control its worms?
That's an open question. They are certainly trying. So is everyone else, of course. It's an arms race. Everyone is vulnerable.
Your comments regarding the real security threat coming from insiders is correct, of course. However, nobody blames the platform or database vendor when that happens. Viruses and other malware coming from the Internet are highly visible. And as they increase in sophistication and destructive potential, they may actually start to tip the well known inside/outside security balance a little. Looking at external threats in isolation for a moment, the balance between malware authors and those who would protect systems is uncomfortably tilted in favor of the black hats by virtue of the "weakest link" principle. Everyone suffers from this, not just Microsoft. Responses to this imbalance include Microsoft's new strategy of focussing a large part of their considerable resources on the problem, and the Open Source community's massive peer review process. As I say, the jury is still out on which will prove the better approach over the long haul. I strongly believe that the latter is better, and so it has proved throughout the era when Microsoft was clueless about security. Now that they are fully enaged, we might be better able to judge which approach is better. Or we might never learn this, if both styles sink under the weight of proliferating malware.
First, there's nothing to prevent Microsoft, or any other large software house, from doing internal peer review.
The phrase was "massive peer review." Neither Microsoft, nor any other government or corporation can match the scale at which the Free and Open Source communities can carry out such reviews.
Furthermore, most OSS projects have no organization to their peer review
That sounds like Darl McBride telling the community that they "need to get a business model" because he can't see a model he understands. There are formal review processes, OpenBSD's is a prominent and successful one, but the real power is engaged when the larger community pounds on a piece of software through use. Bugs get found and fixed quickly through an informal process that doesn't look anything like a formal code review, but produces better results. Even OpenBSD benefits from this informal process on top of their more formal process. The results aren't perfect, but they aren't to be sneered at either.
Open document standards would be a good thing, except that open standards tend to evolve at a snails pace.
Except, that's not the problem. The problem is Microsoft uses their document formats to try to lock in their customers. This is precisely the issue that concerns many governments, to judge by what I've read on the topic.
.. making a law mandating or prohibiting OSS is dumb.
What governments want to do, they will do. Generally they do things with laws. One could argue the politics of that for years, with no progress made in changing minds, or affecting events. Anyhow the referenced article was not concerned with mandates, but with the calculation governments will make when deciding between OSS and Microsoft. I think the former has a lot to offer this sector above and beyond what might appeal to any organization.
Massive peer review makes OSS more secure than comparable closed source products Quite possibly true but irrelevant. Things like Code Red, Slammer, MSBlaster will not spread extensively and will be extinguished because there's a diverse horde of people with the ability to work out what it takes to stop and extinguish it. If you remove the top two-thirds of the talent, what's left will still manage to somehow extinguish it.
Well, I'm not as optimistic about that as you seem to be.
But, that "diverse hoard" is exactly where OSS has a potential advantage. I say "potential" because lots of people actually have to look at the source with an eye toward fixing security problems for the advatage to become actual. Not all OSS code gets that kind of scrutiny.
Microsoft's isn't the only platform vulnerable to the menagerie of security bugs. Stack busting was first studied extensively on a Unix platform, for example. And Microsoft's position as the 90% leader on the desktop does indeed mean more effort is expended trying to crack their systems than others. But, on balance, their architectures have been terrible from a security perspective. They may be getting better, but they still lack that peer review advantage. So, I don't think this issue is "irrelevant."
Regarding IBM, I understand that the term "FUD" was invented to describe their marketing practises. (Making IBM's use of the term in their counter suit against SCO pretty ironic.) But what has that to do with Microsoft's use of the practise today? Are you implying that customers today can't tell FUD from truth? I partly agree, but mostly disagree with that. First, information technology plays a much larger role today in enterprises than it did in the day that IBM was the unquestioned IT leader. IT pervades organizations from corporations to governments and beyond. That doesn't guarantee a more sophisticated consumer, but it does mean that there are more eyeballs on IT, and at a higher level. Second, despite Microsoft's monoploy position, they are not the unquestioned leader IBM was. There is a lot more noise made from a broader range of critics about Microsoft's practices than there ever was objecting to IBM's behavior. This means that the "truth" tends has a better chance of getting out. (I put "truth" in quotes to acknowledge that it can be a slippery concept in the best of circumstances. Nevertheless, I think it's relevant.)
I don't think underestimating Microsoft is advisable. I think they do get the true nauture of OSS and the threat it poses to their businesses. They are trying to answer as many of those threats as they can. Linux threatens Microsoft on many fronts. One is price, and not just on the initial purchase. So they have a fund that can be used to ensure they lose no deals to Linux based on price. But as the Economist points out, Munich took Microsoft's "cheaper than Linux" offer and told them to keep it. There are other areas where they are having a hard time responding to the Linux threat. They can't match the massive peer review advantage of OSS without becoming a completely different company. But they can partially answer the advantage of open source code. Thus, their "shared source" program was born. Along with this goes FUD claiming that the peer review advantage of OSS is actually a weakness because bad guys can look at the source too. This probably plays well for them, but since it isn't true, it will only be useful for a while. Similarly, Microsoft spreads FUD about intellectual property in Linux. And in the same way, once the SCO suit is dealt with, they won't be able to use that angle either.
So judging by their responses, I'd say Microsoft "gets it" completely. They are perhaps the most clever, and ruthless, practicioners of marketing the world has ever seen. Underestimate them at your peril!
Well, the idea that OSS can compete with Microsoft is relatively new in the mainstream. But what I was referring to was the analysis of why a government entity might consider OSS to be superior to proprietary. Those are ideas that have some weight attached to them. specifically:
Massive peer review makes OSS more secure than comparable closed source products
Proprietary document formats raise issues when government information is stored using them.
When a government IT infrastructure is completely dependent on a (possibly foreign) corporation whose (proper) concern is shareholder value, it raises questions about the ability of the government to persue (properly) different goals using that infrastructure.
I've seen these issues well reported in the nerd community, but this is the first time I've read it in The Economist. Their circulation, shall we say, differs substantially from the user list at Slashdot. I think the ideas carry even more weight with decision makers in government and elsewhere when a mainstream publication like the Economist publishes them. And that, I think, is bad news for Microsoft.
To have this analysis show up in The Economist rather than Slashdot or LWN, etc, is a bad omen for Microsoft.
It's just as easy to lie as to tell the truth. What's hard is keeping the lie standing long enough to fool your target. The truth takes less energy to maintain.
Sounds like you have a very nice stable of "anal-retentive" people to do your bidding. Can I have their addresses? I have some paperwork I need done by Friday. 8)
I still like the old fashioned folders because they give me automatic, time based context. That is, if I have a discussion going with a regular group, but suddenly someone new chimes in. Or an existing set of contacts suddenly reorganizes around a new topic that I couldn't have predicted in advance.
Virtual folders are a powerful idea, but I prefer them as a complement to existing mail organization, not a replacement.
Of course, you could make the traditional view just another virtual folder. Perhaps that's what you had in mind?
David Gelertner, the comp sci professor author and unabomber victim, has created software he calls Scopeware. It basically organizes information in a series of related chains. These can be date based or otherwise. I haven't used it, but I've read that he is responding to some of the same concerns you mention.
On a less lofty, but free, note, Evolution has "virtual folders" in which you can place anything a filter expression can select. I use them to sort my email by sender address. I still have my main inbox, and all the categorized subfolders, but the virtual folders select particular people out of the massive mail database. So I can recall that Joe said something three weeks ago that relates to a current problem, and look in the "Joe" virtual folder to find it. There's still no easy way to add arbitrary messages to a virtual folder, other than adding a filter rule that selects just that one message. At least I haven't found a way. But it seems to address part of your concern, for email at least.
I second the suggestion of submitting the work to a journal. Specifically, you could submit it to the LISA (Large Installation Systems Administration) conference, and get it into their proceedings. Or you could try;login, the magazine of USENIX and SAGE. Also, there's Sysadmin Magazine. If it's Linux related, there are a whole slew of Linux mags, of course.
Every bit of RHEL is GPLd except for the Java stuff from Sun and IBM. Red Hat isn't selling bits. They give the bits away under the GPL. They are selling support, but that's not where the "value add" is. As noted previously, they are selling a platform that is certified by Enterprise software houses, principally Oracle. Wan't to run up-to-date Oracle on Linux and have an Oracle support contract? Youre choices are Red Hat Advanced Server or SuSE's Enterprise Linux.
So Red Hat is selling their relationship with Oracle. Oracle gets a stable platform that they doesn't change every six months. Red Hat gets a value proposition for businesses that want Oracle support. The price of RHEL as a percentage of a total package including that is a drop. in. the. bucket.
But there are problems with this. Red Hat is a true blue GPL believing outfit. That's true of their management as well as their engineers. What's more, they depend on countless other true believers outside the company to write software for them. The solution is three fold. First, everything in RHEL is GPLed! They make the source available for download. Nothing has changed in their support for Free Software. Second, those true believers outside Red Hat tend to like the latest and greatest stuff, so accelerate the pace of the "consumer" distro's development. This dovetails nicely with the stable Enterprise platform. It also makes the consumer OS less attractive to those businesses that they want to sell RHEL to. Third, open up the consumer distro to more outside developers. Red Hat has been very picky about the contents of Red Hat Linux. Opening up this process draws outside developers in, keeps relations with those developers healthy and encourages the continued flow of innovation that Red Hat, along with every other Linux vendor has profited from. (I should note that they have given back to that community handsomely in the coin of mostly excellent engineering that finds its way back into the Free Software pool.)
My advice to the questioner would be to buy RHEL for only some of the servers. The ones that you are thinking of running Oracle on would be good choices. For the rest, you have lots of choices. But how about building your own RHEL compatible distro based on the SRPMs that Red Hat releases? You might well be able to apply the same errata as RHEL uses by getting their SRPMs too. Your RHEL-like distro wouldn't be officially supported by Oracle, but it wouldn't need to be, if it wasn't used for that.
My spam bucket is filling up with swill advertising these things. It's nice to know they are worthless without ever having to do the experiment of buying one. Not that I was in danger. I will never do business with anyone who is employed spam, unless I'm going to suffer, a lot, by not doing so.
You suggest that the "red team" could fund itself by offering services to commerical concerns. This is, of course, just what existing companies do. But your company, (or project) would have to take on a lot of pro bono work by its definition. It's a nice idea, but probably impractical. (I'd love to be proved wrong.)
I don't disagree that Free Software could use more security auditing. That's the principle focus of OpenBSD and other projects. And I do believe that more-or-less secure components often get put together in insecure ways. I think Free Software has some edge over proprietary in this regard because of community support. But God knows, it's not enough. I'm just not convinced that you've tabled an approach that would be both effective at addressing such weaknesses and economically viable at the same time. How do you shoo the cat herd of free talent toward the goal of fixing up all the insecure web sites based on Free Software? There are way too many permutations.
The problem of auditing source code is easy by comparison. Such an approach has been shown to work well with OpenBSD. But they succeed because the tree is guarded with zeal. And they are patient. They didn't go with Bind 8 for years, until they could audit the sucker. There is a disconnect between the kind of conservative development you need to make something like OpenBSD succeed and the 6 month product cycles of the Linux vendors, not to mention the chaotic pace of this or that subproject.
I don't want to come off completely cynical about this. You've identified a real problem, and started looking at an application of the power of Free Software development models to address it. But I think you need to sharpen your focus some.
OK, so you are going to hire highly experienced and expensive talent to do security audits for open source projects that don't have a revenue model? Where's your revenue model?
And of course, the benefit of open source is that all sorts of motivated, talented people from all over the world pitch in to do a similar analysis for free, and without a formal "red team." This breaks down quite a bit with the volume of Free Software being produced nowadays, however. But the important pieces of infrastructure (Apache, e.g.) DO get the scrutiny their importance demands. Not to mention pounding by black hats.
Someone mentioned OpenBSD. But even they don't audit everything. They confine their attention to the core of the OS. That's quite a lot of software, but the ports tree is quite a bit more. The ports get somewhat more attention than they would simply because you've got a large set of security conscious users.
I hope not. But they'd be justified if they did, IMHO. This is the first truly new idea in the area of password generation I've heard. I'd sure like to be proven wrong, though. It'd be a shame if only Windows could use this system.
Don't publish no durn code with buffer overruns. 8)
Even Palladium won't protect you if you have one of those, providing the vulnerability occurs after the application has authenticated to the hardware. Unless you do something like challenge the app periodically to prove it has an intact copy of the secret key. Does Palladium do that? I don't know. Anti-stack crashing kernels combined with a crypto enabled platform could help too. But the whole game is complex as hell. And it has some of the best minds on the planet working on both sides, so the whole thing is an arms race. I'm nowhere near brilliant enough to predict what attacks those clever folks will mount on such a platform, or to predict their chances of success.
Re:A security issue to watch for
on
Using MovableType?
·
· Score: 2, Interesting
MT stores articles and comments in the back-end database. So if that is MySQL, the code needs the username/password of a DB user. If it's Berkeley DB files, it needs write access to them. It also needs write access to the HTML files because it generates them from the DB when you rebuild an entry. I see no reason why any of these files need to be mode 777. Just r/w to the httpd user, or to an appropriate role account if you use suexec.
Here's the output of
ls -al
on the HTML directory of one of my blogs. The web server is apache running on a virtual server, so it runs as me:
drwxr-xr-x 3 hbo vuser 512 Jun 30 04:56./ drwx--x--x 12 hbo vuser 4608 Jun 1 17:53../ drwxr-xr-x 2 hbo vuser 512 Jun 30 04:56 archives/ -rw-r--r-- 1 hbo vuser 1890 Jun 30 04:53 archives.html -rw-r--r-- 1 hbo vuser 48947 Jun 30 04:56 index.html -rw-r--r-- 1 hbo vuser 8520 Jun 30 04:56 index.rdf -rw-r--r-- 1 hbo vuser 5497 Jun 30 04:56 index.xml -rw-r--r-- 1 hbo vuser 521 May 5 03:42 rsd.xml -rw-r--r-- 1 hbo vuser 5105 May 8 11:43 styles-site.css
There are too many out-and-out pirates in the SPAM game for "do not SPAM" lists to work. I'd be against the proposed anti-SPAM laws on the grounds that it would leave the field completely clear for the outlaws, and encourage them to employ more destructive tactics to get their effluent into the world's inboxes. But I'm for the laws because they at least would provide a legal basis to go after the no good, low-down, slime-sucking SPAM mongers. Failing an Internet in which every packet is signed, or universal use of SMTP extensions that would require a certificate based authentication of the client (both of which would require universal PKI, don't hold your breath), the only thing that might put a dent in the outlaw SPAM would be effective law enforcement that raised the price above whatever ill-gotten profit there is to be had. However, I'm dubious about that too, given the history of drug laws in the US.
No, the certificate authority would sign your personal certificate, just like they do now. The USPS would have an arrangement whereby they would prove that you are who the certificate says you are through a visit to your local Post Office. The central certificate repository would be at the CA.
The Big Brother aspect comes in the arrangement between the USPS and the CA. As noted above, the CA would be required to check your identity against a Patriot Act database before passing the request on to the Post Office. Reading between the lines, it would seem that information collected from you in your CSR might end up refreshing the data in the Patriot Act database. Combine that with the requirement that certificates expire after four years, and you have a mechanism to keep that national database current. All of this is good IT/database practice. But in the hands of the Government, it raises concerns.
I think Microsoft may be hoping that consumers will see a benefit. How's this for a scenario: the entertainment industry really, really wants you to use DRM. They like the idea that your speakers, video card and monitor can participate in Palladium based DRM. Bill Gates tells them "Guys, consumers just aren't buying this shit. we're going to have to dump it." In response, the music industry, all the heavy hitters, make their entire libraries available to Palladium based media platforms for 25 cents a track. In other words, for a reasonable price. They also allow limited copying between PCs and unlimited CD burning, just as they have already done with iTunes. The business justifications are:
Strong DRM means less piracy, hence greater retained profit.
They actually get it now that the volume increases would mean that their take would skyrocket, even at the lower price.
So the consumer sees a better selection, more professionally presented (I know, or hyped to death), a better price (than CDs) and restrictions that don't really hurt, much. I should explain this last point by saying that it is clear to me that people don't share files on Kaaza out of altruism, but because they want the music themselves. So if you give them the music, they won't be too upset that they can't share it.
Now, I think that points others have raised here about foreign governments objecting to encryption technologies they don't hold the keys for are very pertinent. I'm not predicting Microsoft will succeed with this. But I'm guessing they may have some fond hopes along these lines.
Slashdot Mirror
It stood a chance from day 0 on my OpenBSD firewall. I restricted ssh this morning after I (belatedly) heard about it.
And that bug will gain traction on systems that don't get patched. Unfortunately, Windows admins aren't the only ones with unpatched systems. 8(
They sue whoever is profiting the most from the use of the "infringing" software. In other words, the projects might be safe,by virtue of not having economic gain from the infringement, but the users and developers, who presumably would be profiting, might be targets.
IANAL, but before you use the case of SCO threatening users to refute me, remember their threats are based on copyright law. Since the users are not, by and large, distributing Linux, that threat is ridiculous. Patent law is a different animal, however.
Also, I have no knowledge of, and therefore no opinion on, the Microsoft patents in question.
To their credit, Microsoft has started getting out in front of many of the problems caused by their buggy software. But, as I commented last year, they are a victim of all the stupid, short sighted decisons favoring marketing glitz over technology that they have made over the years. That installed base is a millstone around their neck.
I don't think they feel that each new bug is the last one. Gone are the days when Microsoft could ignore security issues without a direct negative impact on their bottom line.
FUD and truth are not necessarily disjoint.
Good point.
Can Microsoft control its worms?
That's an open question. They are certainly trying. So is everyone else, of course. It's an arms race. Everyone is vulnerable.
Your comments regarding the real security threat coming from insiders is correct, of course. However, nobody blames the platform or database vendor when that happens. Viruses and other malware coming from the Internet are highly visible. And as they increase in sophistication and destructive potential, they may actually start to tip the well known inside/outside security balance a little. Looking at external threats in isolation for a moment, the balance between malware authors and those who would protect systems is uncomfortably tilted in favor of the black hats by virtue of the "weakest link" principle. Everyone suffers from this, not just Microsoft. Responses to this imbalance include Microsoft's new strategy of focussing a large part of their considerable resources on the problem, and the Open Source community's massive peer review process. As I say, the jury is still out on which will prove the better approach over the long haul. I strongly believe that the latter is better, and so it has proved throughout the era when Microsoft was clueless about security. Now that they are fully enaged, we might be better able to judge which approach is better. Or we might never learn this, if both styles sink under the weight of proliferating malware.
First, there's nothing to prevent Microsoft, or any other large software house, from doing internal peer review.
.. making a law mandating or prohibiting OSS is dumb.
The phrase was "massive peer review." Neither Microsoft, nor any other government or corporation can match the scale at which the Free and Open Source communities can carry out such reviews.
Furthermore, most OSS projects have no organization to their peer review
That sounds like Darl McBride telling the community that they "need to get a business model" because he can't see a model he understands. There are formal review processes, OpenBSD's is a prominent and successful one, but the real power is engaged when the larger community pounds on a piece of software through use. Bugs get found and fixed quickly through an informal process that doesn't look anything like a formal code review, but produces better results. Even OpenBSD benefits from this informal process on top of their more formal process. The results aren't perfect, but they aren't to be sneered at either.
Open document standards would be a good thing, except that open standards tend to evolve at a snails pace.
Except, that's not the problem. The problem is Microsoft uses their document formats to try to lock in their customers. This is precisely the issue that concerns many governments, to judge by what I've read on the topic.
What governments want to do, they will do. Generally they do things with laws. One could argue the politics of that for years, with no progress made in changing minds, or affecting events. Anyhow the referenced article was not concerned with mandates, but with the calculation governments will make when deciding between OSS and Microsoft. I think the former has a lot to offer this sector above and beyond what might appeal to any organization.
Massive peer review makes OSS more secure than comparable closed source products
Quite possibly true but irrelevant. Things like Code Red, Slammer, MSBlaster will not spread extensively and will be extinguished because there's a diverse horde of people with the ability to work out what it takes to stop and extinguish it. If you remove the top two-thirds of the talent, what's left will still manage to somehow extinguish it.
Well, I'm not as optimistic about that as you seem to be.
But, that "diverse hoard" is exactly where OSS has a potential advantage. I say "potential" because lots of people actually have to look at the source
with an eye toward fixing security problems for the advatage to become actual. Not all OSS code gets that kind of scrutiny.
Microsoft's isn't the only platform vulnerable to the menagerie of security bugs. Stack busting was first studied extensively on a Unix platform, for example. And Microsoft's position as the 90% leader on the desktop does indeed mean more effort is expended trying to crack their systems than others. But, on balance, their architectures have been terrible from a security perspective. They may be getting better, but they still lack that peer review advantage. So, I don't think this issue is "irrelevant."
Regarding IBM, I understand that the term "FUD" was invented to describe their marketing practises. (Making IBM's use of the term in their counter suit against SCO pretty ironic.) But what has that to do with Microsoft's use of the practise today? Are you implying that customers today can't tell FUD from truth? I partly agree, but mostly disagree with that. First, information technology plays a much larger role today in enterprises than it did in the day that IBM was the unquestioned IT leader. IT pervades organizations from corporations to governments and beyond. That doesn't guarantee a more sophisticated consumer, but it does mean that there are more eyeballs on IT, and at a higher level. Second, despite Microsoft's monoploy position, they are not the unquestioned leader IBM was. There is a lot more noise made from a broader range of critics about Microsoft's practices than there ever was objecting to IBM's behavior. This means that the "truth" tends has a better chance of getting out. (I put "truth" in quotes to acknowledge that it can be a slippery concept in the best of circumstances. Nevertheless, I think it's relevant.)
I don't think underestimating Microsoft is advisable. I think they do get the true nauture of OSS and the threat it poses to their businesses. They are trying to answer as many of those threats as they can. Linux threatens Microsoft on many fronts. One is price, and not just on the initial purchase. So they have a fund that can be used to ensure they lose no deals to Linux based on price. But as the Economist points out, Munich took Microsoft's "cheaper than Linux" offer and told them to keep it. There are other areas where they are having a hard time responding to the Linux threat. They can't match the massive peer review advantage of OSS without becoming a completely different company. But they can partially answer the advantage of open source code. Thus, their "shared source" program was born. Along with this goes FUD claiming that the peer review advantage of OSS is actually a weakness because bad guys can look at the source too. This probably plays well for them, but since it isn't true, it will only be useful for a while. Similarly, Microsoft spreads FUD about intellectual property in Linux. And in the same way, once the SCO suit is dealt with, they won't be able to use that angle either.
So judging by their responses, I'd say Microsoft "gets it" completely. They are perhaps the most clever, and ruthless, practicioners of marketing the world has ever seen. Underestimate them at your peril!
I've seen these issues well reported in the nerd community, but this is the first time I've read it in The Economist. Their circulation, shall we say, differs substantially from the user list at Slashdot. I think the ideas carry even more weight with decision makers in government and elsewhere when a mainstream publication like the Economist publishes them. And that, I think, is bad news for Microsoft.
To have this analysis show up in The Economist rather than Slashdot or LWN, etc, is a bad omen for Microsoft.
It's just as easy to lie as to tell the truth. What's hard is keeping the lie standing long enough to fool your target. The truth takes less energy to maintain.
Sounds like you have a very nice stable of "anal-retentive" people to do your bidding. Can I have their addresses? I have some paperwork I need done by Friday. 8)
I still like the old fashioned folders because they give me automatic, time based context. That is, if I have a discussion going with a regular group, but suddenly someone new chimes in. Or an existing set of contacts suddenly reorganizes around a new topic that I couldn't have predicted in advance.
Virtual folders are a powerful idea, but I prefer them as a complement to existing mail organization, not a replacement.
Of course, you could make the traditional view just another virtual folder. Perhaps that's what you had in mind?
David Gelertner, the comp sci professor author and unabomber victim, has created software he calls Scopeware. It basically organizes information in a series of related chains. These can be date based or otherwise. I haven't used it, but I've read that he is responding to some of the same concerns you mention.
On a less lofty, but free, note, Evolution has "virtual folders" in which you can place anything a filter expression can select. I use them to sort my email by sender address. I still have my main inbox, and all the categorized subfolders, but the virtual folders select particular people out of the massive mail database. So I can recall that Joe said something three weeks ago that relates to a current problem, and look in the "Joe" virtual folder to find it. There's still no easy way to add arbitrary messages to a virtual folder, other than adding a filter rule that selects just that one message. At least I haven't found a way. But it seems to address part of your concern, for email at least.
I second the suggestion of submitting the work to a journal. Specifically, you could submit it to the LISA (Large Installation Systems Administration) conference, and get it into their proceedings. Or you could try ;login, the magazine of USENIX and SAGE.
Also, there's Sysadmin Magazine. If it's Linux related, there are a whole slew of Linux mags, of course.
Every bit of RHEL is GPLd except for the Java stuff from Sun and IBM. Red Hat isn't selling bits. They give the bits away under the GPL. They are selling support, but that's not where the "value add" is. As noted previously, they are selling a platform that is certified by Enterprise software houses, principally Oracle. Wan't to run up-to-date Oracle on Linux and have an Oracle support contract? Youre choices are Red Hat Advanced Server or SuSE's Enterprise Linux.
So Red Hat is selling their relationship with Oracle. Oracle gets a stable platform that they doesn't change every six months. Red Hat gets a value proposition for businesses that want Oracle support. The price of RHEL as a percentage of a total package including that is a drop. in. the. bucket.
But there are problems with this. Red Hat is a true blue GPL believing outfit. That's true of their management as well as their engineers. What's more, they depend on countless other true believers outside the company to write software for them. The solution is three fold. First, everything in RHEL is GPLed! They make the source available for download. Nothing has changed in their support for Free Software. Second, those true believers outside Red Hat tend to like the latest and greatest stuff, so accelerate the pace of the "consumer" distro's development. This dovetails nicely with the stable Enterprise platform. It also makes the consumer OS less attractive to those businesses that they want to sell RHEL to. Third, open up the consumer distro to more outside developers. Red Hat has been very picky about the contents of Red Hat Linux. Opening up this process draws outside developers in, keeps relations with those developers healthy and encourages the continued flow of innovation that Red Hat, along with every other Linux vendor has profited from. (I should note that they have given back to that community handsomely in the coin of mostly excellent engineering that finds its way back into the Free Software pool.)
My advice to the questioner would be to buy RHEL for only some of the servers. The ones that you are thinking of running Oracle on would be good choices. For the rest, you have lots of choices. But how about building your own RHEL compatible distro based on the SRPMs that Red Hat releases? You might well be able to apply the same errata as RHEL uses by getting their SRPMs too. Your RHEL-like distro wouldn't be officially supported by Oracle, but it wouldn't need to be, if it wasn't used for that.
My spam bucket is filling up with swill advertising these things. It's nice to know they are worthless without ever having to do the experiment of buying one. Not that I was in danger. I will never do business with anyone who is employed spam, unless I'm going to suffer, a lot, by not doing so.
D'oh! You are right, of course:
hbo@gate> named -v
BIND 9.2.2
I was off by one tab in konsole. 8-\
Regarding Bind in OpenBSD. I just checked my 3.3 system, and I'm running Bind 8 from the ports tree. They still haven't let it in to the core OS!
I don't disagree that Free Software could use more security auditing. That's the principle focus of OpenBSD and other projects. And I do believe that more-or-less secure components often get put together in insecure ways. I think Free Software has some edge over proprietary in this regard because of community support. But God knows, it's not enough. I'm just not convinced that you've tabled an approach that would be both effective at addressing such weaknesses and economically viable at the same time. How do you shoo the cat herd of free talent toward the goal of fixing up all the insecure web sites based on Free Software? There are way too many permutations.
The problem of auditing source code is easy by comparison. Such an approach has been shown to work well with OpenBSD. But they succeed because the tree is guarded with zeal. And they are patient. They didn't go with Bind 8 for years, until they could audit the sucker. There is a disconnect between the kind of conservative development you need to make something like OpenBSD succeed and the 6 month product cycles of the Linux vendors, not to mention the chaotic pace of this or that subproject.
I don't want to come off completely cynical about this. You've identified a real problem, and started looking at an application of the power of Free Software development models to address it. But I think you need to sharpen your focus some.
And of course, the benefit of open source is that all sorts of motivated, talented people from all over the world pitch in to do a similar analysis for free, and without a formal "red team." This breaks down quite a bit with the volume of Free Software being produced nowadays, however. But the important pieces of infrastructure (Apache, e.g.) DO get the scrutiny their importance demands. Not to mention pounding by black hats.
Someone mentioned OpenBSD. But even they don't audit everything. They confine their attention to the core of the OS. That's quite a lot of software, but the ports tree is quite a bit more. The ports get somewhat more attention than they would simply because you've got a large set of security conscious users.
I hope not. But they'd be justified if they did, IMHO. This is the first truly new idea in the area of password generation I've heard. I'd sure like to be proven wrong, though. It'd be a shame if only Windows could use this system.
Don't publish no durn code with buffer overruns. 8)
Even Palladium won't protect you if you have one of those, providing the vulnerability occurs after the application has authenticated to the hardware. Unless you do something like challenge the app periodically to prove it has an intact copy of the secret key. Does Palladium do that? I don't know. Anti-stack crashing kernels combined with a crypto enabled platform could help too. But the whole game is complex as hell. And it has some of the best minds on the planet working on both sides, so the whole thing is an arms race. I'm nowhere near brilliant enough to predict what attacks those clever folks will mount on such a platform, or to predict their chances of success.
Here's the output of on the HTML directory of one of my blogs. The web server is apache running on a virtual server, so it runs as me:
drwxr-xr-x 3 hbo vuser 512 Jun 30 04:56
drwx--x--x 12 hbo vuser 4608 Jun 1 17:53
drwxr-xr-x 2 hbo vuser 512 Jun 30 04:56 archives/
-rw-r--r-- 1 hbo vuser 1890 Jun 30 04:53 archives.html
-rw-r--r-- 1 hbo vuser 48947 Jun 30 04:56 index.html
-rw-r--r-- 1 hbo vuser 8520 Jun 30 04:56 index.rdf
-rw-r--r-- 1 hbo vuser 5497 Jun 30 04:56 index.xml
-rw-r--r-- 1 hbo vuser 521 May 5 03:42 rsd.xml
-rw-r--r-- 1 hbo vuser 5105 May 8 11:43 styles-site.css
Well, it seems that they are not quite disconnected from reality, then.
It's clear they are prepared to essentially stop being a technology company in favor of being an IP litigant. Fah! Ptooie!
There are too many out-and-out pirates in the SPAM game for "do not SPAM" lists to work. I'd be against the proposed anti-SPAM laws on the grounds that it would leave the field completely clear for the outlaws, and encourage them to employ more destructive tactics to get their effluent into the world's inboxes. But I'm for the laws because they at least would provide a legal basis to go after the no good, low-down, slime-sucking SPAM mongers. Failing an Internet in which every packet is signed, or universal use of SMTP extensions that would require a certificate based authentication of the client (both of which would require universal PKI, don't hold your breath), the only thing that might put a dent in the outlaw SPAM would be effective law enforcement that raised the price above whatever ill-gotten profit there is to be had. However, I'm dubious about that too, given the history of drug laws in the US.
So *reset* I'm AGAINST SPAM laws now. 8)
No, the certificate authority would sign your personal certificate, just like they do now. The USPS would have an arrangement whereby they would prove that you are who the certificate says you are through a visit to your local Post Office. The central certificate repository would be at the CA.
The Big Brother aspect comes in the arrangement between the USPS and the CA. As noted above, the CA would be required to check your identity against a Patriot Act database before passing the request on to the Post Office. Reading between the lines, it would seem that information collected from you in your CSR might end up refreshing the data in the Patriot Act database. Combine that with the requirement that certificates expire after four years, and you have a mechanism to keep that national database current. All of this is good IT/database practice. But in the hands of the Government, it raises concerns.
- Strong DRM means less piracy, hence greater retained profit.
- They actually get it now that the volume increases would mean that their take would skyrocket, even at the lower price.
So the consumer sees a better selection, more professionally presented (I know, or hyped to death), a better price (than CDs) and restrictions that don't really hurt, much. I should explain this last point by saying that it is clear to me that people don't share files on Kaaza out of altruism, but because they want the music themselves. So if you give them the music, they won't be too upset that they can't share it.Now, I think that points others have raised here about foreign governments objecting to encryption technologies they don't hold the keys for are very pertinent. I'm not predicting Microsoft will succeed with this. But I'm guessing they may have some fond hopes along these lines.