ARRG! I re-read after posting and realized that the setup labor was WAY off. It would have been closer to $5000. I also forgot that we had to add network cards to every PC. The rest of the numbers are about right, but we would have been able to get only 45 or so brand new PCs not 70.
Regardless I still think that 45 brand new PCs we could use for 5 years is still a better deal than 200 PCs we have to scrap after 2 years and which can barely run modern software.
K12LTSP makes all of this a bit more academic. "Old" PCs are actually useful with that as long as they have a network card, good enough video card, and are fast enough to un K12LTSP well. Just the same, hardware support costs can really add up on old hardware when you have a lot of PCs.
A four or five years ago we received 200 486/25Mhz computers for free from a local company. It cost us a fortune.
Most of the mice had to be replaced (approx $1000.) Because they didn't come with *PROOF* of OS licensing, we had to buy DOS for them all (approx $3000.) We had to create a working software image (approx $800 in labor) then haul them around the district, set them up in labs and ghost them (approx $30,000 in labor.)
Soon they started breaking down (power supplies going out, floppies dying, HD's dying, CMOS batteries going dead, etc.) After all, they were OLD computers. So we had to canabalize systems to keep others running and at times by some of the cheaper parts (CMOS batteries, a few floppies.) This cost plenty (approx $20,000 in time/labor.)
Eventually we decided it was costing too much just to keep them running.. plus space is limited in schools. We wanted to put systems that actually were useful to our students in these labs. You can't just throw these things in the trash (at least not around here due to recycling laws.) The cheapest we found was a place that would take CPUs for $5 each and monitors for $10 each. (The local PC resale place had no interest in any of it.) In all, getting rid of them ran us about another $2000.
If you were keeping track, that means these "free" computers cost the school district around $56,800. With that much cash, we could have gotten 70 brand new PCs from a vendor who pre-ghosts them for us and which have a five year warranty AND still paid for the labor to install them in the classrooms.
And here is something else for you to consider... on average, each tech person in a school district is responsible for 400-500 computers (contrast that to a 1:50 ratio in business.) If the computers require an average of just 10 minutes of time from a tech per *year* compared to a new one, that is as much as two work weeks worth of wasted time.
A whole different issue is how much time is wasted purely by using Windows and the MS model of each PC being independant. People would freak if they realized how much time/money were wasted in schools just keeping the Windows sytems running and installing software vs. how much time needed if they used K12LTSP Linux.
My view on this: - patent protecting an actual implementation of an idea - Good. - patent protecting just an idea - Bad - patent protecting an implementation of an idea which is trivial and likely to be duplicated without copying - Very Bad - patent protecting physical things - Good - patent on nearly anything in the tech sector for a period of 20 years - Very Very Bad
Justfications: I think patents do have their place to encourage innovation. But I think the current system is far too unbalanced. A 20 year patent on technology might as well have an infinate lifetime. These days tech just doesn't have the shelf life to support a 20 year patent. When your new fancy internal combustion engine barely changes in 50 years, a 17 year (the old term) patent might be ok.
A 20 year patent on a new chip design basically means a lifetime patent. By the time the patent expires there will be no use for someone else to build on your design since it'll be obsolete.
I also think the current patent system needs to be changed into something that encourages innovation more than it discourages it. A company spewing out patents on things which others are very likely to do on their own is useless to innovation. We see useless/rediculous patents on/. all the time.
You shouldn't need a group of lawyers every time you want to write a program or change a GUI design to meet a need. </rant>
...
because most user's don't actually look at the source.
I disagree with your disagreement.:)
The reason a lot of us trust OSS more than MS is that we CAN look at the source. For many it's the the fact that others who both distrust everybody and are technically captable CAN look at the source if they wish. (And they are likely to do so.)
I never cared a lot about personally being able to look at the source even though I am a fairly competent programmer. But when an update to a core util came out in Gentoo, it was nice to be able to do a simple diff and find 2 lines of trivial changes. Not only could I be sure no trojan had been introduced, I could be confident that the change wouldn't break anything.
I also think a big reason a lot of people like OSS is a matter of ownership. They want full ownership, access and control of their own data. And by their own data, I mean what they create AND what they purchase. The idea that buying a DRMed song makes you give up how/where you can listen to it is in a word offensive to a whole lot of us.
And based on a lot of reaction I'm seeing in the education field, a lot of people want ownership of their decisions. They want to be the ones to decide it's time to upgrade to a new version of an OS or an App. They want to be the ones to decide it's time to retire older computers. They want to be the ones to decide to upgrade home computers... not be forced to in order to remain compatible with updates at work. They don't want MS making those choices for them by changing [undocumented] file formats or dropping support for a working product.
Besides, if only 1 person in your organization is making use of macros and other advanced features, it's very useful that everyone else can open that person's documents without additional software.
Which is EXACTLY why document specs should be open. I support around 6000 users. Of those, only about 50 know how to do anything useful with macros and of those only 1-2 actually require any type of macros. I doubt either would *need* VBA macros as long as they could just automate some other app.
Why should our organization have to pay over a quarter million $ just because 0.03% of my users might need MS Word macro capabilities? But instead, as long as we want 100% file compatibility we are locked into buying MS-Office for every PC.
If the file formats were open, alternative apps could be 100% compatible and the choice of which app to run could be made based on needs and not lock-in.
If I purchase a song, I have the right to back it up. I have the right to listen to it where I want and not only on one PC.
I agree 100%. That's why the last three albums I purchased have all been from Magnatune. You even get the full CD-Quality.WAV files when you purchase if you want them. That plus knowing that the artist gets a much bigger share of my purchase than through an RIAA label.
They definately don't have the top hits, but at the same time, they do have a surprisingly good selection. Especially of alternative stuff. I'm just checking out the rock now, but I've gotten techno from them in the past.
Adobe has a perfect recourse: Microsoft would need to license the rights to PDF from Adobe first
No. The PDF specifications have been basically open since more or less the very beginning. While they hold patents on the specification, they give the right to use the specs royalty free.
Besides, the market in Acrobat is about a lot more than just Distiller.
True enough, but the majority of people who buy Acrobat only care about creating PDFs. I don't know about the latest versions, but v4.x absolutely *stunk* for editing an already created PDF.
This fall at a tech conference I did a session on PDFs. The last part of the session was looking at alternatives for creating PDFs. At least one group attending was planning to ditch Adobe once they found out that Open Office can create PDFs on the fly. Like most users, they just want basic PDF creation features and don't even use the other ones.
this should mean the source code should be opened to the public
My thinking is that if the security can't withstand public scrutiny then it shouldn't be in use anyhow. Even if the source is secure, open disclosure is still needed. Without it, supporters of the losing side are always going to claim there was cheating or that the election was rigged... without public proof to the contrary.
Open sourcing of the code is needed for public confidense if nothing else.
Actually, there's a film based on a true story of a man suing god
Oh really? And just what lawyer is going to agree to die in order to serve papers in the right jurisdiction? Oh wait... how would a lawyer even get to the right jurisdiction if they did die?;-)
If you can't find a job, then that is just the market at work. You may be great technically but not have people skills, or whatever.
While I'm feeling a bit old today, I've actually only been in the tech job market for about 15 years. And through all that time, no matter the market, the ones who were good (fresh out of college or not) always seemed to have a job. Sometimes it meant moving half a state away (or more) but they got good paying jobs.
During the tech job slump, I didn't know a single highly competent tech person who didn't have or couldn't get a job. I knew a few who were laid off but got jobs immediately. The only tech people I knew who had trouble getting work sucked at the job.
I'm sure there are some (maybe many) who were pretty hot stuff but lost their job due to layoffs or a company going out of business. While I feel for you, were you willing to relocate? Do you have people skills? Did your resume show how you could be an assett to the company, or did it just tell them you knew C/C++? (If you don't know it, there IS a difference. The really good paying jobs usually want to know how you can help them more than they want to know what you can do.)
During the very worst of the tech job market, we had a postition to fill and could only find ONE qualified applicant and he already had a job. (You would think that at least one more applicant would have had certification or at least experience in what was listed on the job posting.) The only difference between that and when the market was hot was that we had the one qualified applicant. During the tech boom, we wouldn't have had any and would have just had to pick the least unqualified.
In college, there were people who got their degree only because they got tons of tutoring by other students. One gal in C class never did quite get "the whole variables thing."
One day just after starting a new job, a coworker was telling me that the company would pay for each of your tests three times but that you could take them as many times as you wanted to... you just had to pay after the 3rd. I said, "Well, if you can't get it in three tries, maybe this isn't the right line of work." The reply was, "Oh no, I've taken my TCP/IP test 5 times now, next month will be the sixth." I just kept my mouth shut.
Should those two people even be doing tech work? Is it in a company's best interest to hire them?
Before I get moded as flame-bait or told by 100 people that they were top-notch and lost their job, let me say that I know it happened to some of you. It sucks. Move on. It's especially a problem if you were ultra-specialized . Maybe you spent the last 5 years designing phone system line cards... yeah, the market on that is pretty small. But a really good programmer or sys admin should be able to find something somewhere. (Again.. that "relocate" word.) And if you really are as good as you say, why not pick up a couple new languages... or study up and get certified for LPI or RHCE (or Solaris, or CNE or MCSE?)
Despite the new dept., I will be surprised to see widespread changes in the OS. As long as MS is driven more by the marketing dept. than anything else there will always be issues.
The problem is the mentality of "HEY, if we add functionality to Windows, we'll get more market share!"
New features are not a problem. Features people want are not a problem. New features designed only to "create" a desire in the marketplace is a problem.
how about tunnelling telnet over ssh using port forwarding feature of ssh?
Would be nice, but the app required telnet in addition to several other ports (for Informix actually.) And it is a Windows app. The fact that the hosts which needed access were mixed in with other public hosts didn't help a lot either.
If this had been some kind of Linux app (or wasn't way too dependant on Windows to keep it from running in wine) I may have done something with iptables redirects and tunneling a connection to the server. As it was though, there wasn't any good solution which was cost effective (read free since I wouldn't be given any money to "fix" a working app.) Anything else I could think of would have just been a kludge and would have opened other more serious security holes.
I still think the ideal fix would have been for us to pressure the vendor to use some kind of SSH library for Windows in the app. Even if they didn't find a free one they could probably afford to include one considering we pay about $750 (PER SEAT!) for support/maintenance.
But the boss said "NO," I covered my own ass, and I still have a job (hopefully one I can keep due to the CYA memo.)
secure the connection from the remote user to a terminal server sitting next to your budgetry server, then at least TELNET is only in the clear across one hop on a switch.
One hop or 50, if the potential hacker knows (or can find out) the address of the endpoints (host and server, host and router, etc.) ettercap will work just fine.
I work for one of these contractors. Frankly, we do exactly what they ask us to do.
If these departments want to be secure, they need to give guidelines up front
Frankly I'm not surprised. The whole "lowest bidder" framework is crap in most cases. Here is the process for building our last new school (from a tech standpoint anyhow) if anybody is intersted:
Meet with contractor and give very detailed instructions about required wireing closets, cabling, cable drops, etc.
Eventually get a copy of the bid specs and floor plans.
Go over very thick specs book with your stuff scattered all over it and look over floorplans.
Meet with contractor again and point out that a) there are NO wireing closets, b) drops are not marked on plans, c) none of the fiber you asked for is included, and d) the cable types are not what you specified.
Recieve adendum to specs which appear to fix everything.
Specs go out for bid
Vendor who you have worked with before realizes things still aren't right and doesn't want to lose out on the bid but doesn't want to get a bad image with you either sets up a meeting to point out all of the remaining problems with the specs. (This only happens if you are lucky.)
Send revision request to the contractor/architech again and another adendum to the specs is released.
Finally get everything out to bid.
Choose who gets the bid (again, this was fortunate because often it just goes to the low bidder.)
Sub-contractor contacts you to point out that architech put some copper runs over 400 feet long despite the fact that a wiring closet was right accross the hall.(This often doesn't happen with low bidder.. they just do the job as the specs/plans say... any mistakes.. too bad the job is up to spec.)
Eventually building is done and you still find stuff that isn't right.
With the "lowest bidder" mentality, your specs better be PERFECT and include EVERY little detail on the setup and configuration. You can't assume ANYTHING. You had better include all the details or at least reference standards which do. The vendors who care to do a good job won't get the contract because they'll come in with a higher bid.
The ones who don't care usually win because they bid exactly what is in the specs... no more, no less. If there is a mistake, they'll build it with the mistake in place. If there is a security hole, guess what.. it goes into the system. And if you aren't writing the specs yourself, watch out. You might get an architech like we had who in one meeting finally admitted, "Well, I really don't know much about this computer cabling stuff."
As the majority of users work with newer and newer technologies, those old technologies will become safer and safer.
Not really true. There still are plenty of technologies in even XP that are holdouts from 98. Just because 95/98 wasn't vulnerable to the RPC exploits doesn't mean it's immune to XP/2000/NT worms.
If a proprietary tool is extremely useful to you and few others, you can almost count on it getting discontinued after a year or two of stalled sales.
Also consider that the more completely a software meets your needs, the less insentive there is to upgrade to a new version. This is a problem (at least from the vendor's sales point of view.) The solution to this "lack of insentive" problem is typically:
Cram a ton of new features into next version (whether or not they are appropriate for the particular software)
Stop releasing bug fixes for previous version (as much as you can get away with it anyhow)
Tie product version to OS version (so new OS requires new purchase)
Push customers to a "rental" type licensing plan
Always hold out from the current release a few features that may be simple to add but are desired by customers enough that they would upgrade to get them
Marketing, marketing, marketing! Announce plans to include the most amazing and desireable features even if you are not sure you can deliver them (or make commercials showing office staff acting like complete (but happy) idiots so you can sell based on emotional reaction instead of features)
Except for the "rental" or "lease" type licensing, everything else requires you to get the customer to buy upgrades.
It's a problem in the enterprise market, where custom software gets built, as well as in Open Source software.
The problem in enterprise is actually bigger. Open source can actually help avoid the problem of "no upgrade path to the latest commercial version" which is VERY common when modifications are made to proprietary vertical market apps.
With open source the changes can, and usually should, be given back to the main developers to be included in the main source tree. This usually allows the customizations to survive version changes. If you are overly protective of your own modifications and don't want to share... then be prepared to accept the consequence of forklift upgrades.
This is not limited to in-house development. Many vendors will modify thier own software for a customer to the point where a simple upgrade is impossible. Part of the problem is poor fork management and lackluster customization skills. But that doesn't make the next upgrade any cheaper.
Another point that should be made is that forking is less of a problem in OSS because the pool of developers is not fixed and small like it is with proprietary software. Forks generally increase the number of developers overall. And forks tend to either be merged back in, die off, or replace the original completely depending on the quality and popularity of the changes introduced.
Also, forking a proprietary software package can be much more risky than forking proprietary. Lets say you customize accounting software that sells for $1000/seat and resell the custom version (assuming the license permits it) for $2000/seat, making $1000 gross profit per sale. What happens if the next version doesn't permit resale? What if a "source" license jumps to $10,000/seat? What if the parent software company goes out of business and the full source goes into limbo?
Of course, with proprietary, you always have the option of not forking at all... but you do with OSS too, so big deal. More to the point, in the vast majority of cases you don't even have an option of forking proprietary if it doesn't meet your needs. Instead you have to force your business to fit the software instead of the other way around.
Re:I do the same, with no expiration...
on
Real Security?
·
· Score: 1
I'm with you on expiry. A well-guarded sufficiently complex password is much better (IMHO) than an easy to remember one changed every 30 days. On anything that really matters (root/admin level pwds, logins which might avail someone to the use of my CC) I use a good (TM) password with at least 10 characters (sometimes 12 or more.)
Another post asks 'what if someone got your shadow file and a copy of John the ripper?' Well, then my box is cracked anyhow, so what good does the password do me now?
Besides, on a 2gHz system I've run john at about 4000 keys/sec. That's not really steller. I did the math... if you have a combination of 10 character pw with upper/lower-case letters, numbers, and punctuation, it's still a long time for a crack. Even if the cracker assumes you only use about 8 different puntuation chars out of what is available (and guesses right) that is still a LOT of combinations. Assuming they had access to a bunch of good 2-3gHz systems and distributed the job to John across them all somehow, and got lucky enough to crack it after only exhausting 10% of the keyspace.... it'd still require over 1/2 million computers to crack it in less than 3 years!
Short of my password showing up as someone's latest distributed.net project I'm not all that worried about brute force on my passwords.
Of course this assumes you never expose those passwords. But I always use SSH or SCP (never telnet or FTP) and never allow SSH as root. I only use IMAPS (or SSL for web-based) for e-mail (and usually use SSH and pine or mutt.) The only password I use accross multiple machines is my own personal PW, but even then
I can just see the maketing material from MS to the embedded developers? Using other embedded OSes puts you at risk of patent violation. We're just trying to help you avoid expensive litigation or licensing. (Nevermind that it's our patents.)
Hey, if they can't compete on quality and features, why not force their way into the market using patents.
If I have to reboot more than once per year, I'm switching to Windows.
If a reboot is freaking you out that much;-) then don't do it. At least unless you have local users who you don't trust to behave themselves or to take reasonable precautions securing systems they access from remotely.
Slashdot Mirror
Regardless I still think that 45 brand new PCs we could use for 5 years is still a better deal than 200 PCs we have to scrap after 2 years and which can barely run modern software.
K12LTSP makes all of this a bit more academic. "Old" PCs are actually useful with that as long as they have a network card, good enough video card, and are fast enough to un K12LTSP well. Just the same, hardware support costs can really add up on old hardware when you have a lot of PCs.
Most of the mice had to be replaced (approx $1000.) Because they didn't come with *PROOF* of OS licensing, we had to buy DOS for them all (approx $3000.) We had to create a working software image (approx $800 in labor) then haul them around the district, set them up in labs and ghost them (approx $30,000 in labor.)
Soon they started breaking down (power supplies going out, floppies dying, HD's dying, CMOS batteries going dead, etc.) After all, they were OLD computers. So we had to canabalize systems to keep others running and at times by some of the cheaper parts (CMOS batteries, a few floppies.) This cost plenty (approx $20,000 in time/labor.)
Eventually we decided it was costing too much just to keep them running.. plus space is limited in schools. We wanted to put systems that actually were useful to our students in these labs. You can't just throw these things in the trash (at least not around here due to recycling laws.) The cheapest we found was a place that would take CPUs for $5 each and monitors for $10 each. (The local PC resale place had no interest in any of it.) In all, getting rid of them ran us about another $2000.
If you were keeping track, that means these "free" computers cost the school district around $56,800. With that much cash, we could have gotten 70 brand new PCs from a vendor who pre-ghosts them for us and which have a five year warranty AND still paid for the labor to install them in the classrooms.
And here is something else for you to consider... on average, each tech person in a school district is responsible for 400-500 computers (contrast that to a 1:50 ratio in business.) If the computers require an average of just 10 minutes of time from a tech per *year* compared to a new one, that is as much as two work weeks worth of wasted time.
A whole different issue is how much time is wasted purely by using Windows and the MS model of each PC being independant. People would freak if they realized how much time/money were wasted in schools just keeping the Windows sytems running and installing software vs. how much time needed if they used K12LTSP Linux.
That's all well and good.. but how do you survive (suffer?) Windows XP after the first day? ;)
My view on this:
/. all the time.
- patent protecting an actual implementation of an idea - Good.
- patent protecting just an idea - Bad
- patent protecting an implementation of an idea which is trivial and likely to be duplicated without copying - Very Bad
- patent protecting physical things - Good
- patent on nearly anything in the tech sector for a period of 20 years - Very Very Bad
Justfications: I think patents do have their place to encourage innovation. But I think the current system is far too unbalanced. A 20 year patent on technology might as well have an infinate lifetime. These days tech just doesn't have the shelf life to support a 20 year patent. When your new fancy internal combustion engine barely changes in 50 years, a 17 year (the old term) patent might be ok.
A 20 year patent on a new chip design basically means a lifetime patent. By the time the patent expires there will be no use for someone else to build on your design since it'll be obsolete.
I also think the current patent system needs to be changed into something that encourages innovation more than it discourages it. A company spewing out patents on things which others are very likely to do on their own is useless to innovation. We see useless/rediculous patents on
You shouldn't need a group of lawyers every time you want to write a program or change a GUI design to meet a need.
</rant>
I disagree with your disagreement. :)
The reason a lot of us trust OSS more than MS is that we CAN look at the source. For many it's the the fact that others who both distrust everybody and are technically captable CAN look at the source if they wish. (And they are likely to do so.)
I never cared a lot about personally being able to look at the source even though I am a fairly competent programmer. But when an update to a core util came out in Gentoo, it was nice to be able to do a simple diff and find 2 lines of trivial changes. Not only could I be sure no trojan had been introduced, I could be confident that the change wouldn't break anything.
I also think a big reason a lot of people like OSS is a matter of ownership. They want full ownership, access and control of their own data. And by their own data, I mean what they create AND what they purchase. The idea that buying a DRMed song makes you give up how/where you can listen to it is in a word offensive to a whole lot of us.
And based on a lot of reaction I'm seeing in the education field, a lot of people want ownership of their decisions. They want to be the ones to decide it's time to upgrade to a new version of an OS or an App. They want to be the ones to decide it's time to retire older computers. They want to be the ones to decide to upgrade home computers... not be forced to in order to remain compatible with updates at work. They don't want MS making those choices for them by changing [undocumented] file formats or dropping support for a working product.
Which is EXACTLY why document specs should be open. I support around 6000 users. Of those, only about 50 know how to do anything useful with macros and of those only 1-2 actually require any type of macros. I doubt either would *need* VBA macros as long as they could just automate some other app.
Why should our organization have to pay over a quarter million $ just because 0.03% of my users might need MS Word macro capabilities? But instead, as long as we want 100% file compatibility we are locked into buying MS-Office for every PC.
If the file formats were open, alternative apps could be 100% compatible and the choice of which app to run could be made based on needs and not lock-in.
I agree 100%. That's why the last three albums I purchased have all been from Magnatune. You even get the full CD-Quality .WAV files when you purchase if you want them. That plus knowing that the artist gets a much bigger share of my purchase than through an RIAA label.
They definately don't have the top hits, but at the same time, they do have a surprisingly good selection. Especially of alternative stuff. I'm just checking out the rock now, but I've gotten techno from them in the past.
No. The PDF specifications have been basically open since more or less the very beginning. While they hold patents on the specification, they give the right to use the specs royalty free.
True enough, but the majority of people who buy Acrobat only care about creating PDFs. I don't know about the latest versions, but v4.x absolutely *stunk* for editing an already created PDF.
This fall at a tech conference I did a session on PDFs. The last part of the session was looking at alternatives for creating PDFs. At least one group attending was planning to ditch Adobe once they found out that Open Office can create PDFs on the fly. Like most users, they just want basic PDF creation features and don't even use the other ones.
My thinking is that if the security can't withstand public scrutiny then it shouldn't be in use anyhow. Even if the source is secure, open disclosure is still needed. Without it, supporters of the losing side are always going to claim there was cheating or that the election was rigged... without public proof to the contrary.
Open sourcing of the code is needed for public confidense if nothing else.
Oh really? And just what lawyer is going to agree to die in order to serve papers in the right jurisdiction? Oh wait... how would a lawyer even get to the right jurisdiction if they did die? ;-)
While I'm feeling a bit old today, I've actually only been in the tech job market for about 15 years. And through all that time, no matter the market, the ones who were good (fresh out of college or not) always seemed to have a job. Sometimes it meant moving half a state away (or more) but they got good paying jobs.
During the tech job slump, I didn't know a single highly competent tech person who didn't have or couldn't get a job. I knew a few who were laid off but got jobs immediately. The only tech people I knew who had trouble getting work sucked at the job.
I'm sure there are some (maybe many) who were pretty hot stuff but lost their job due to layoffs or a company going out of business. While I feel for you, were you willing to relocate? Do you have people skills? Did your resume show how you could be an assett to the company, or did it just tell them you knew C/C++? (If you don't know it, there IS a difference. The really good paying jobs usually want to know how you can help them more than they want to know what you can do.)
During the very worst of the tech job market, we had a postition to fill and could only find ONE qualified applicant and he already had a job. (You would think that at least one more applicant would have had certification or at least experience in what was listed on the job posting.) The only difference between that and when the market was hot was that we had the one qualified applicant. During the tech boom, we wouldn't have had any and would have just had to pick the least unqualified.
In college, there were people who got their degree only because they got tons of tutoring by other students. One gal in C class never did quite get "the whole variables thing."
One day just after starting a new job, a coworker was telling me that the company would pay for each of your tests three times but that you could take them as many times as you wanted to... you just had to pay after the 3rd. I said, "Well, if you can't get it in three tries, maybe this isn't the right line of work." The reply was, "Oh no, I've taken my TCP/IP test 5 times now, next month will be the sixth." I just kept my mouth shut.
Should those two people even be doing tech work? Is it in a company's best interest to hire them?
Before I get moded as flame-bait or told by 100 people that they were top-notch and lost their job, let me say that I know it happened to some of you. It sucks. Move on. It's especially a problem if you were ultra-specialized . Maybe you spent the last 5 years designing phone system line cards... yeah, the market on that is pretty small. But a really good programmer or sys admin should be able to find something somewhere. (Again.. that "relocate" word.) And if you really are as good as you say, why not pick up a couple new languages... or study up and get certified for LPI or RHCE (or Solaris, or CNE or MCSE?)
I'm betting you could make it amphibious for under a ton too.
The problem is the mentality of "HEY, if we add functionality to Windows, we'll get more market share!"
New features are not a problem. Features people want are not a problem. New features designed only to "create" a desire in the marketplace is a problem.
Yeah, but how are you going to lock customers into your product if you do that? No.. too risky from a sales point of view.
Would be nice, but the app required telnet in addition to several other ports (for Informix actually.) And it is a Windows app. The fact that the hosts which needed access were mixed in with other public hosts didn't help a lot either.
If this had been some kind of Linux app (or wasn't way too dependant on Windows to keep it from running in wine) I may have done something with iptables redirects and tunneling a connection to the server. As it was though, there wasn't any good solution which was cost effective (read free since I wouldn't be given any money to "fix" a working app.) Anything else I could think of would have just been a kludge and would have opened other more serious security holes.
I still think the ideal fix would have been for us to pressure the vendor to use some kind of SSH library for Windows in the app. Even if they didn't find a free one they could probably afford to include one considering we pay about $750 (PER SEAT!) for support/maintenance.
But the boss said "NO," I covered my own ass, and I still have a job (hopefully one I can keep due to the CYA memo.)
One hop or 50, if the potential hacker knows (or can find out) the address of the endpoints (host and server, host and router, etc.) ettercap will work just fine.
Frankly I'm not surprised. The whole "lowest bidder" framework is crap in most cases. Here is the process for building our last new school (from a tech standpoint anyhow) if anybody is intersted:
With the "lowest bidder" mentality, your specs better be PERFECT and include EVERY little detail on the setup and configuration. You can't assume ANYTHING. You had better include all the details or at least reference standards which do. The vendors who care to do a good job won't get the contract because they'll come in with a higher bid.
The ones who don't care usually win because they bid exactly what is in the specs... no more, no less. If there is a mistake, they'll build it with the mistake in place. If there is a security hole, guess what.. it goes into the system. And if you aren't writing the specs yourself, watch out. You might get an architech like we had who in one meeting finally admitted, "Well, I really don't know much about this computer cabling stuff."
That is one of the most ironic things about government/school spending, IMHO. The more wasteful you are the more $ you get.
Not really true. There still are plenty of technologies in even XP that are holdouts from 98. Just because 95/98 wasn't vulnerable to the RPC exploits doesn't mean it's immune to XP/2000/NT worms.
Except for the "rental" or "lease" type licensing, everything else requires you to get the customer to buy upgrades.
The problem in enterprise is actually bigger. Open source can actually help avoid the problem of "no upgrade path to the latest commercial version" which is VERY common when modifications are made to proprietary vertical market apps.
With open source the changes can, and usually should, be given back to the main developers to be included in the main source tree. This usually allows the customizations to survive version changes. If you are overly protective of your own modifications and don't want to share... then be prepared to accept the consequence of forklift upgrades.
This is not limited to in-house development. Many vendors will modify thier own software for a customer to the point where a simple upgrade is impossible. Part of the problem is poor fork management and lackluster customization skills. But that doesn't make the next upgrade any cheaper.
Another point that should be made is that forking is less of a problem in OSS because the pool of developers is not fixed and small like it is with proprietary software. Forks generally increase the number of developers overall. And forks tend to either be merged back in, die off, or replace the original completely depending on the quality and popularity of the changes introduced.
Also, forking a proprietary software package can be much more risky than forking proprietary. Lets say you customize accounting software that sells for $1000/seat and resell the custom version (assuming the license permits it) for $2000/seat, making $1000 gross profit per sale. What happens if the next version doesn't permit resale? What if a "source" license jumps to $10,000/seat? What if the parent software company goes out of business and the full source goes into limbo?
Of course, with proprietary, you always have the option of not forking at all... but you do with OSS too, so big deal. More to the point, in the vast majority of cases you don't even have an option of forking proprietary if it doesn't meet your needs. Instead you have to force your business to fit the software instead of the other way around.
Another post asks 'what if someone got your shadow file and a copy of John the ripper?' Well, then my box is cracked anyhow, so what good does the password do me now?
Besides, on a 2gHz system I've run john at about 4000 keys/sec. That's not really steller. I did the math... if you have a combination of 10 character pw with upper/lower-case letters, numbers, and punctuation, it's still a long time for a crack. Even if the cracker assumes you only use about 8 different puntuation chars out of what is available (and guesses right) that is still a LOT of combinations. Assuming they had access to a bunch of good 2-3gHz systems and distributed the job to John across them all somehow, and got lucky enough to crack it after only exhausting 10% of the keyspace.... it'd still require over 1/2 million computers to crack it in less than 3 years!
Short of my password showing up as someone's latest distributed.net project I'm not all that worried about brute force on my passwords.
Of course this assumes you never expose those passwords. But I always use SSH or SCP (never telnet or FTP) and never allow SSH as root. I only use IMAPS (or SSL for web-based) for e-mail (and usually use SSH and pine or mutt.) The only password I use accross multiple machines is my own personal PW, but even then
Hey, if they can't compete on quality and features, why not force their way into the market using patents.
If a reboot is freaking you out that much ;-) then don't do it. At least unless you have local users who you don't trust to behave themselves or to take reasonable precautions securing systems they access from remotely.
Of course with most Windows subsystems having administrator or SYSTEM access, what's the difference?