Okaaay. We've got a problem here. There are artists who rely on concerts/cd sales to support their art. There are bootleggers who record/play/distribute the artist's music with no financial benefit going to the artist. There are fans of the artist who opt to download (free) or buy bootlegged (cheap) music. That's where we're at, right? Right. How about YOU go and talk to the bootlegger and get them to "sponsor" the artist and see what they say! Of course, they're going to tell you to jam it because they're making money.
This problem isn't as big as you make it sound. A person who buys a bootlegged copy of something and likes it is much more likely to buy a non-bootlegged copy of the same thing (better quality) as well as more work from the same musician. Bootlegging has been shown numerous times to build your audience. Metallica, the Who, and a handful of others have used bootlegging as a marketing tactic and become very successful with it.
I'm not saying that bootlegging is right, I'm only saying that it's a tolerable wrong if you're of a mindset that wants to put a stop to it. If you're of a more open mindset, you can use bootlegging to your advantage, and your fans will appreciate that you don't try to criminalize them for doing what they would have done anyway. That is why so many of us felt betrayed when Metallica showed up against P2P, and no amount of bribery on their part will bring us back.
Or, to put it more simply, music as a product is dying. Music as a service is on the rise. Customers want service and relationships, while consumers just want products. We're moving away from a world of consumers and towards a world of customers, again.:)
Music is a service, not a product. Printed CDs are a product, not a service. There is no proper balance in the industry on these matters, and until there is, customers won't be satisfied. The problems the RIAA is having with P2P are entirely self-inflicted, either outright, or the more subtle things like "Napster filled a niche the labels weren't filling". Fact is, nobody buys 100% of the music they listen to. I'll be surprised if anybody ever buys more than, say, 15% of the music they listen to, probably much less than that. P2P doesn't change this fact.
In the radio case, music is almost ALWAYS accompanied by commercials.
So, when I switch stations during the commercials, is that immoral? Is it unethical? Have I infringed copyright by not listening to the commercials that pay for the music to be played on the radio?
It's not free, your just not paying for it (although the radio station most definitely is).
The radio station is paying for the music on paper, and through a series of middlemen are in turn being paid to play the music. This is known as payola, and has been done for decades. The reason the RIAA is so shit-scared of P2P is because they can't payola with it, users get too much choice and force the musicians to produce better music. If the RIAA could control it the way they control radio, they'd be all over it as a new marketing medium. Or rather, if the labels could control it the way they can radio, the RIAA would never have poked its dick in this fire.
There is a reason it has its own phrase to describe it. The legal system does not invent phrases to be more descriptive of a particular crime. It tries to be as straight forward as possible.
First degree murder
Second degree murder
Manslaughter
Involuntary Manslaughter
Vehicular Manslaughter
Involuntary Vehicular Manslaughter
And, my personal favorite:
Intoxicated Manslaughter
I always thought dead was dead, you know? In any case, copyright infringement isn't theft, which I agree with, but our legal system isn't as clear with language as you say it is. They do invent phrases to be more descriptive of a particular crime, usually because it means something specific, such as Capital Murder. You get a harsher sentence if you kill for money than you do if you kill for fun.
This year I'll be celebrating 8 years of marriage with my wife, and my three kids are just pissing pretty over it.:)
When my wife asks me "does this dress make me look fat" and I tell her "yes, it does", she says "I guess I asked for it." She doesn't ask me my opinion of her clothes, and I don't volunteer it. I love her greatly, but I don't like her choice of clothing and prefer to remove it whenever I have a chance.
Must be nice to work somewhere where you can't be replaced...
It's not that simple. It's just how I expect the relationship to work. The company expects me to make certain personal sacrifices from time to time for the company, and I expect the company to reciprocate. Replacing me after I'm fully trained and so forth isn't just a matter of picking someone to replace me. Then you have to train them, and that's expensive. Numerous other problems. So if the employer is 'good', they will choose to try to keep me and I will choose to stay with them, and conflict won't hapen very often, and when it does it'll be reasonably resolved.
Nope. Even when it was because I had screwed up when I set my alarm.
Did you ever lie to get off work early one day?
Nope. I figure if I have to lie to get off work early, I don't have a good enough reason to get off work. OTOH, if I *do* have a good enough reason and the boss won't let me go, I'll walk. If the boss really wants me, and he always knows this about me, he won't push it.
Did you ever lie to a co-worker?
Nope. Had a guy who was my employer once tell me I should lie to coworkers occasionally. I was out of there within a week.
I'll be the first to say that lying by itself isn't immoral or unethical. The fact of the matter is that it's impractical. When you lie to someone, they eventually find out you were lying and they're much less likely to believe you in the future. So you hurt the relationship. If it's your boss, you want a strong relationship, and lying will not build a strong relationship. If it's your coworker, you want a strong relationship as well. Lying will not build it. If *you* are the boss, you want a strong relationship with your employees, vendors, customers, et al, and lying will not build that either.
There are probably dozens of reasons why an agency might not want to go through the effort of compiling a duplicate copy of the binaries from source and checking them against a distributed copy.
I certainly agree that an open-source model is safer than a closed-source model (for the same reasons that we have peer review for medical procedures.) However, this is no excuse for bad arguments. The GPL does nothing to prevent the kind of attack mentioned in the Dev X article (a group of disgruntled open-source programmers slipping a trojan horse into a binary distribution.)
In most applications, you're absolutely correct. Why go to all the trouble? But the author of the article was talking about secure applications, or at least he wanted us to think he was.:) Stuff like databases that hold all your social security numbers, credit card transactions made in exchange for driver's licenses, and so forth. Sensitive stuff that must be secured. In those highly sensitive applications, I think it's totally reasonable to require that the application be deployed only from in-house compiled source that has been audited in-house.
The protection the GPL gives you is exactly that auditing power. Just because IBM sold you the software, if you have a procedure that says you must only deploy stuff you compiled in-house and you must audit the code, then you still have to do it, and it doesn't matter if IBM sold it to you or not. The GPL ensures that you will have source you can audit. If you get GPL software from a no-name vendor and they refuse to give you the source, the GPL empowers you to take it from them with subpoenas and stuff. Or you can shut them down outright (albeit after some court fighting) as far as distribution goes. The GPL is a weapon, and in this contrived situation, it is the weapon that will ensure you have the opportunity to check your software. Whether you do it or not is another discussion entirely.
When you say the GPL does nothing to prevent this attack, you're only half-right. It doesn't actively do anything to prevent this type of attack, and that's fine because it wasn't ever intended to actively prevent this type of attack. It was meant to give users certain freedoms associated with the software, including auditing the code.:) The buyer still has a responsibility to actually exercise their rights for their own protection and the protection of all this sensitive information. The reason Open Source gives you a superior way to address this issue is because it gives you the source.
The ability to destroy a star system is insignificant next to the power of the source.:)
Why would a black hat, about to commit a federal offense in planting a trojan horse, be concerned about Copyright Infringement or breach of contract?
That's nto the point. The point is that the agency knows they are entitled to the source for the software, so they have absolutely no reason to run the binary without checking it against the source. And if the two things don't match up, and you happen to have targetted a government agency, you're screwed. That was the point.
Why should I look at parts of a badly structured, feature infested, bug infested monolith of an OS?
When I ran out of gas over on 520 and found myself walking down 156th Ave NE in Redmond, I asked myself this same question. The answer, right there in the heart of Microsoft, presented itself. Some well-dressed, clean cut dude came out with a CD and said "He's the source for Windows XP." I said "What the fuck am I gonna do with that?" You know what he said?
I realize I'm preaching to the choir, but here goes:
So far, major Linux distributions such as Debian and others have been able to discover and remedy attacks on their core source-code servers. The distributions point to the fact that they discovered and openly discussed these breaches as evidence that their security measures work. Call me paranoid, but such attacks, however well handled, serve to raise the question of whether other such attacks have been more successful (in other words, undiscovered).
And do closed-source companies that sell server software of any kind advertise when they themselves get breached? He raises the question of other undiscovered attacks, but he forgets to point out that Debian discussed its attack publicly because part of the open source model is "open". This same shit happens to closed source companies, they just don't tell anyone about it. The real question here isn't whether or not Debian was breached in undiscovered fashion. It's whether or not we'd even know if a closed organization was breached, and his question of the purity of the source code is even more pertinent to a closed organization than to an open one. That's what 'open' is all about.
Therefore, security problems for governments begin with knowing which distributions they can trust.
Security problems for governments exist because of negligence, for the most part. More below.
This (hopefully potential) problem isn't limited to open source software, but open source certainly has far fewer inherent barriers than commercial software. The easier it is to access the source code, alter it, and then recompile it for custom uses, the more likely that it will happen--and then you have no security. Any security checks performed on the software before the source is delivered are invalid.
Ok, he needs a lesson in reading comprehension, or he needs to hire a lawyer to interpret the GPL for him. Because as we all know, and love, the GPL requires that the source used to make the binary you have just distributed be made available to the person you gave it to. So let's say I fork RedHat and patch it with backdoors and crap. Then I sell it to, hmm, let's say the FBI, and they go to implement it. Since the FBI is well-known for security procedures (ha!), they decide they want to check the binary I gave them against the source I gave them. (Of course, I gave them the source without the patches) So they ask me what compiler I used, and what build tools I used, flags and so forth. I tell them. They compile the source I gave them and compare it to the binary, and I'm in trouble. I've committed copyright infringement, and we all know from years of FBI warnings what that means exactly. The simple fact is, he's trying to apply security policies that shouldn't be applied in an environment that requires the level of security he describes. What kind of FBI security policy would approve the use of open source without requiring it to be audited? Furthermore, what kind of government organization would purchase mission-critical software from a no-name company? Especially when there are a few reputable large companies available to give it to them.
He ignores the GPL quite blatantly here, and that is the government's insurance that the binary they run will be as secure as they can make it.
Open source software goes through rigorous security testing, but such testing serves only to test known outside threats. The fact that security holes continue to appear should be enough to deter governments from jumping on this bandwagon, but won't be. Worse though, I don't think that security testing can be made robust enough to protect against someone injecting dangerous code into the software from the inside--and inside, for open source, means anyone who cares to join the project or create their own distribution.
MOst of this paragraph is doubly true about closed source companies because they are closed. An open company is subject
However, the diversity, the forkedness of OS software means there are thousands of variations that would all need auditing.
Um, no. First of all, software isn't forked that badly, in general. Second, you only need to audit the version you are planning to deploy. If it doesn't pass muster and there's a fork available that claims that it will, you audit that. If there's no fork available, you look for another piece that'll solve the same problem. If it's not available, then you patch the first one or develop from scratch in-house. IN any case, it's never necessary to audit all the thousands of free software packages out there.
If I were running things, government agencies would be required to audit all source code before deploying the application, and they'd be required to compile it themselves, with a 'trusted' compiler, that they also compiled themselves. (Now someone show me what'shisfaces comment about how you can't trust the compiler).
The whole 'trusted source' thing takes care of many problems. Say NSA audits sendmail and actually determines that it's 'safe' (heaven forbid!). Now Everyone Else knows that NSA liked it, and they may not need to audit it themselves, they can just go with the version NSA audited. See what I mean?
In a paranoiac's world, a 'trusted source' is necessary for any software distribution method, open or closed souce in origin.
In a paranoid's world, there is no such thing as a trusted source.:)
Re:Maybe solve immediate problems first? Hmm?
on
NASA's Own X Prize?
·
· Score: 1
Free energy as in speech already exists, if you know where to look for it.:)
Propane generators can usually be powered by natural gas as well. They have lower emissions than gas or diesel generators, are generally quieter, and can also be a lot cheaper in operating costs. I don't know if that makes your TCO lower than just hooking into the power grid, but free energy as in speech is here and now. But it's not free as in beer, and the cost to set it up is much higher than just getting an account with your utility guys.
Now for ways to reduce your costs. Most homes already have natural gas powered heaters, so we'll ignore heating this time.
These guys sell propane-powered replacement for appliances that are typically electric these days. Replace your fridge, dryer, and washer, and that knocks out 90% of your electric bill (except for air conditioning).
For air conditioning, I didn't find anything outside just replacing the source of electricity to the air conditioner.
Of course, if you live in a dry climate, swamp coolers are pretty nice.
If you're going to launch something that big, I think you'd keep it up there. Not much point in a large reentry craft.
Hmm, not necessarily. Maybe.:) The main thing I'm thinking is that you need to be able to send lots of people at once. What's the crew capabilities on the Seawolf? I didn't check. I suppose if we're just talking about a passenger shuttle craft, it doesn't have to be as big as all that in order to carry lots of people. The reason the shuttle has to carry so much 'dead weight' is because it has to support the crew for awhile when it gets up there, but if it could just go straight to orbit and dump its payload of passengers, it can probably be a bit smaller and still carry plenty of people.
The point the GP was making, which I thought was a good point, is that the Seawolf class sub has to live in many of the same conditions of space, and it does so. The problem he ignored is propulsion. The Seawolf is actually pretty small compared to a deep-space vehicle, I think, because of that one small thing. Sure, you could stick some ion drive units on there powered by the nuclear plant, but how fast would it go, then? How long would it take to accelerate? That's the real question.:) Of course, if you cut the crew in half or more, which you're safe to do when you remove the weaponry because you don't need people to man the weapons stations, then you have more room for propulsion.
I'm curious enough about this that I'd be interested in seeing a breakdown of how much each component and system of the Seawolf-class sub weighs. I don't want anything classified, of course, but if someone can give this information I'd really be interested in seeing it.
As a Mac/FreeBSD user, who understands that people have to use Windows, I have a question. Why do people hate Windows Me specifically? As a product, I realize it's stupid to upgrade to (Win98 + different salad dressing), but if it was just that I don't see why people would hate it so much. From people I've met, it sounds like installing Me is the worth thing you can put on your box; people would rather use 98. Is it just that the removal of real mode DOS causes more problems than it solves or something?
Hmm, I'll give it a go, but I may not have it quite right.
Windows ME uses the same HAL as Windows 2000, but it's strapped onto an 'upgraded' win9x kernel, which is the old DOS kernel, as far as I know. True to form, Microsoft didn't quite get it right, so the HAL itself is extremely buggy and prone to failure. Since they were still kicking around the old DOS kernel, they still didn't have a decent threading model, and shit still interfered with one another. The 'improvements' wound up being more trouble than they were worth. I guess I would liken it to backporting Linux 2.6's HAL to Linux 2.0 and patching it with a bunch of untested crap from Siberia, passing it through 4 beta-testers who all just clicked on "My Computer" and said "Works Great!", and then releasing it.
From a usability point of view, it's slower than win98 by a long shot, drivers are few and far between (uses Windows 2000's HAL, but can't use Windows 2000 drivers, so ME requires a special set of drivers that don't work in any other version of Windows), and tends to crash if you have too many processes running. It's less stable than win95, more like the old Amiga OS in the 1.2 days without the cute guru meditations.
Actually, I used it for awhile and didn't experience any of this. Not that I loved it or anything, just that I didn't have any problems that I could directly attribute to WinME. I went to Win2k soon after it, though, because I wanted the NT kernel, and then finally dumped windows entirely for Mandrake Linux. So I haven't really used a Windows computer in 2 years.
Re:Maybe solve immediate problems first? Hmm?
on
NASA's Own X Prize?
·
· Score: 1
Heh heh, I don't know why you decided to make me your enemy, but your post was dead on.:)
Um, that's nice. Wake me when we have 100% efficient solar cells, so that we can actually have total "captured solar energy". Oh, and when it's possible to manufacture 22,500 square miles of solar panels without utilizing massive quantities of some very nasty materials. Oh, and when the things will install and maintain themselves. Oh, also, and when we cease to have power loss in transmission. Oh, and when we have retrofitted our entire economy to use one power source (alternating electric current), instead of the variety we currently use.
I've actually been thinking about this, and I really don't have any idea how solar cells work, but I was thinking that a small greenhouse-like structure insulated with that fancy aerogel stuff would do an excellent job collecting heat. Right? So now we just have to convert that heat to electricity. Three ways I know of off the top of my head.
Pipe water through it. Use the heat to heat the water in a steam generator.
Stick those fancy little gadgets that Honda uses on their brakes to turn the heat into electricity. I forget what they're called.
Use it as the heat side of a Sterling engine where the torque of the engine is attached to a generator.
No kidding. Like they told me in grade school, we'll be bone dry by 1985! Time to hit the panic button.
I tend to think that we're running out of oil in the same sense that as soon as you're born you're dying. We *will* run out of oil eventually, so it is a problem that should be addressed sooner rather than later. Personally, I don't trust either the oil companies or the freaks like you responded to when they give us estimates for how long the oil we have will last, but I'd really like to see something renewable first (like alcohol) and non-polluting second.
Energy which is distributed so that its source code can be freely examined and modified by the end user?
Isn't that how energy is already distributed? If you want to examine your electricity directly, just stick a hanger in an electrical outlet!:)
Who was it you ask? Canada! How 'bout that, eh? Now ask yourself, why?
Because they're closer than everybody else?
No, see, Canada sends us "Ol", not "Oil". See, Canadians think that the war in Iraq is 'aboot ol'.:)
The Seawolf has a submerged displacement of 8060t dived, and 7,700t surfaced.
Hmm, if I recall correctly, displaced water is supposed to weigh the same as the item doing the displacement. Or am I on crack? Anyway, that's the closest to a weight measurement I found.
So the two begging questions are:
Can NASA put 7,700 tons into orbit?
Can a Seawolf deal with re-entry heats?
Obviously, if we stripped out all the weapons systems and everything associated with weapons systems, we'll have a lot less weight than before. So there's room (assuming NASA can even lift that much into orbit) for improvements.
Of course, they could just take the basic systems that NASA needs, weigh them and so forth, and then design a shuttle to use them.:) Not that that would be easy in itself, nuclear plants aren't light.
The blog should last about as long as it takes Michael Dell to take his tongue out of Bill Gate's bunghole.
From the interview:
I went over to a friend's house the other day. He was having problems with his computer and he asked me to look at it, and I realized he had Windows Me and it's like, oh no--that's your first problem.
In other news, I love Texas businessmen.:) Check this out:
so we're very happy to let the other guys have 100 percent of the 15 percent.
Not that I love Dell, or Michael Dell specifically, just that I really like the way Texas businessmen talk about their competition from time to time. There isn't any of this "we're gonna rule the world" crap. Usually just "as much as I can get, and I can get a lot".;) (Only New Mexicans want to rule the world, and then they move to Seattle and find the drones to do it with:( )
I don't agree with their religion, but you still have to be fair to them. Most Mormons understand justice a lot better than they understand SCO's antics.
Hmmm, do the Mormons practice the Golden Rule? 'Cause I just enforce it on them, that's all. If they don't like the way I'm treating them, well, *cough*.:)
Actually, for this to be a proper example, there also needs to be an attachment of Darl's private fortunes. If the CEO can get away with his pockets full, then it isn't much of an example. If a company is dying, the CEO doesn't care about the company, he cares about himself. So unless you ensure that HE has to pay, you haven't discouraged copycats very effectively.
IN that case, we'd need to buy a significant portion of their stock and then sue Darl when all SCOs shit hits the fan. As stockholders, we could sue him for fucking over the value of the stock.:)
Granted, a bit of a riskier situation, and it would require buying the stock before the price tanked. Not that I'd contribute. I'm looking forward to seeing the IBM Inquisition on Darl's ass. Nobody expects it!
Thanks, but I've already torn through most of the Baen Free Library, at least the stuff that's real science fiction. Seems like most of it is heroic fantasy, and I'm just not that interested in swords and chivalry and troll riddles anymore.
Slashdot Mirror
Okaaay. We've got a problem here. There are artists who rely on concerts/cd sales to support their art. There are bootleggers who record/play/distribute the artist's music with no financial benefit going to the artist. There are fans of the artist who opt to download (free) or buy bootlegged (cheap) music. That's where we're at, right? Right. How about YOU go and talk to the bootlegger and get them to "sponsor" the artist and see what they say! Of course, they're going to tell you to jam it because they're making money.
This problem isn't as big as you make it sound. A person who buys a bootlegged copy of something and likes it is much more likely to buy a non-bootlegged copy of the same thing (better quality) as well as more work from the same musician. Bootlegging has been shown numerous times to build your audience. Metallica, the Who, and a handful of others have used bootlegging as a marketing tactic and become very successful with it.
I'm not saying that bootlegging is right, I'm only saying that it's a tolerable wrong if you're of a mindset that wants to put a stop to it. If you're of a more open mindset, you can use bootlegging to your advantage, and your fans will appreciate that you don't try to criminalize them for doing what they would have done anyway. That is why so many of us felt betrayed when Metallica showed up against P2P, and no amount of bribery on their part will bring us back.
Or, to put it more simply, music as a product is dying. Music as a service is on the rise. Customers want service and relationships, while consumers just want products. We're moving away from a world of consumers and towards a world of customers, again. :)
Music is a service, not a product. Printed CDs are a product, not a service. There is no proper balance in the industry on these matters, and until there is, customers won't be satisfied. The problems the RIAA is having with P2P are entirely self-inflicted, either outright, or the more subtle things like "Napster filled a niche the labels weren't filling". Fact is, nobody buys 100% of the music they listen to. I'll be surprised if anybody ever buys more than, say, 15% of the music they listen to, probably much less than that. P2P doesn't change this fact.
In the radio case, music is almost ALWAYS accompanied by commercials.
So, when I switch stations during the commercials, is that immoral? Is it unethical? Have I infringed copyright by not listening to the commercials that pay for the music to be played on the radio?
It's not free, your just not paying for it (although the radio station most definitely is).
The radio station is paying for the music on paper, and through a series of middlemen are in turn being paid to play the music. This is known as payola, and has been done for decades. The reason the RIAA is so shit-scared of P2P is because they can't payola with it, users get too much choice and force the musicians to produce better music. If the RIAA could control it the way they control radio, they'd be all over it as a new marketing medium. Or rather, if the labels could control it the way they can radio, the RIAA would never have poked its dick in this fire.
There is a reason it has its own phrase to describe it. The legal system does not invent phrases to be more descriptive of a particular crime. It tries to be as straight forward as possible.
First degree murder
Second degree murder
Manslaughter
Involuntary Manslaughter
Vehicular Manslaughter
Involuntary Vehicular Manslaughter
And, my personal favorite:
Intoxicated Manslaughter
I always thought dead was dead, you know? In any case, copyright infringement isn't theft, which I agree with, but our legal system isn't as clear with language as you say it is. They do invent phrases to be more descriptive of a particular crime, usually because it means something specific, such as Capital Murder. You get a harsher sentence if you kill for money than you do if you kill for fun.
This year I'll be celebrating 8 years of marriage with my wife, and my three kids are just pissing pretty over it. :)
When my wife asks me "does this dress make me look fat" and I tell her "yes, it does", she says "I guess I asked for it." She doesn't ask me my opinion of her clothes, and I don't volunteer it. I love her greatly, but I don't like her choice of clothing and prefer to remove it whenever I have a chance.
Must be nice to work somewhere where you can't be replaced...
It's not that simple. It's just how I expect the relationship to work. The company expects me to make certain personal sacrifices from time to time for the company, and I expect the company to reciprocate. Replacing me after I'm fully trained and so forth isn't just a matter of picking someone to replace me. Then you have to train them, and that's expensive. Numerous other problems. So if the employer is 'good', they will choose to try to keep me and I will choose to stay with them, and conflict won't hapen very often, and when it does it'll be reasonably resolved.
I repost future +5's in SCO stories. If caught, I claim they were mine or an unauthorized derivative but I never actually show proof.
did you ever come in late and lied about it?
Nope. Even when it was because I had screwed up when I set my alarm.
Did you ever lie to get off work early one day?
Nope. I figure if I have to lie to get off work early, I don't have a good enough reason to get off work. OTOH, if I *do* have a good enough reason and the boss won't let me go, I'll walk. If the boss really wants me, and he always knows this about me, he won't push it.
Did you ever lie to a co-worker?
Nope. Had a guy who was my employer once tell me I should lie to coworkers occasionally. I was out of there within a week.
I'll be the first to say that lying by itself isn't immoral or unethical. The fact of the matter is that it's impractical. When you lie to someone, they eventually find out you were lying and they're much less likely to believe you in the future. So you hurt the relationship. If it's your boss, you want a strong relationship, and lying will not build a strong relationship. If it's your coworker, you want a strong relationship as well. Lying will not build it. If *you* are the boss, you want a strong relationship with your employees, vendors, customers, et al, and lying will not build that either.
There are probably dozens of reasons why an agency might not want to go through the effort of compiling a duplicate copy of the binaries from source and checking them against a distributed copy.
I certainly agree that an open-source model is safer than a closed-source model (for the same reasons that we have peer review for medical procedures.) However, this is no excuse for bad arguments. The GPL does nothing to prevent the kind of attack mentioned in the Dev X article (a group of disgruntled open-source programmers slipping a trojan horse into a binary distribution.)
In most applications, you're absolutely correct. Why go to all the trouble? But the author of the article was talking about secure applications, or at least he wanted us to think he was. :) Stuff like databases that hold all your social security numbers, credit card transactions made in exchange for driver's licenses, and so forth. Sensitive stuff that must be secured. In those highly sensitive applications, I think it's totally reasonable to require that the application be deployed only from in-house compiled source that has been audited in-house.
The protection the GPL gives you is exactly that auditing power. Just because IBM sold you the software, if you have a procedure that says you must only deploy stuff you compiled in-house and you must audit the code, then you still have to do it, and it doesn't matter if IBM sold it to you or not. The GPL ensures that you will have source you can audit. If you get GPL software from a no-name vendor and they refuse to give you the source, the GPL empowers you to take it from them with subpoenas and stuff. Or you can shut them down outright (albeit after some court fighting) as far as distribution goes. The GPL is a weapon, and in this contrived situation, it is the weapon that will ensure you have the opportunity to check your software. Whether you do it or not is another discussion entirely.
When you say the GPL does nothing to prevent this attack, you're only half-right. It doesn't actively do anything to prevent this type of attack, and that's fine because it wasn't ever intended to actively prevent this type of attack. It was meant to give users certain freedoms associated with the software, including auditing the code. :) The buyer still has a responsibility to actually exercise their rights for their own protection and the protection of all this sensitive information. The reason Open Source gives you a superior way to address this issue is because it gives you the source.
The ability to destroy a star system is insignificant next to the power of the source. :)
Why would a black hat, about to commit a federal offense in planting a trojan horse, be concerned about Copyright Infringement or breach of contract?
That's nto the point. The point is that the agency knows they are entitled to the source for the software, so they have absolutely no reason to run the binary without checking it against the source. And if the two things don't match up, and you happen to have targetted a government agency, you're screwed. That was the point.
Why should I look at parts of a badly structured, feature infested, bug infested monolith of an OS?
When I ran out of gas over on 520 and found myself walking down 156th Ave NE in Redmond, I asked myself this same question. The answer, right there in the heart of Microsoft, presented itself. Some well-dressed, clean cut dude came out with a CD and said "He's the source for Windows XP." I said "What the fuck am I gonna do with that?" You know what he said?
"You'll learn how not to write code."
Part of my story is true, guess which part. :)
I realize I'm preaching to the choir, but here goes:
So far, major Linux distributions such as Debian and others have been able to discover and remedy attacks on their core source-code servers. The distributions point to the fact that they discovered and openly discussed these breaches as evidence that their security measures work. Call me paranoid, but such attacks, however well handled, serve to raise the question of whether other such attacks have been more successful (in other words, undiscovered).
And do closed-source companies that sell server software of any kind advertise when they themselves get breached? He raises the question of other undiscovered attacks, but he forgets to point out that Debian discussed its attack publicly because part of the open source model is "open". This same shit happens to closed source companies, they just don't tell anyone about it. The real question here isn't whether or not Debian was breached in undiscovered fashion. It's whether or not we'd even know if a closed organization was breached, and his question of the purity of the source code is even more pertinent to a closed organization than to an open one. That's what 'open' is all about.
Therefore, security problems for governments begin with knowing which distributions they can trust.
Security problems for governments exist because of negligence, for the most part. More below.
This (hopefully potential) problem isn't limited to open source software, but open source certainly has far fewer inherent barriers than commercial software. The easier it is to access the source code, alter it, and then recompile it for custom uses, the more likely that it will happen--and then you have no security. Any security checks performed on the software before the source is delivered are invalid.
Ok, he needs a lesson in reading comprehension, or he needs to hire a lawyer to interpret the GPL for him. Because as we all know, and love, the GPL requires that the source used to make the binary you have just distributed be made available to the person you gave it to. So let's say I fork RedHat and patch it with backdoors and crap. Then I sell it to, hmm, let's say the FBI, and they go to implement it. Since the FBI is well-known for security procedures (ha!), they decide they want to check the binary I gave them against the source I gave them. (Of course, I gave them the source without the patches) So they ask me what compiler I used, and what build tools I used, flags and so forth. I tell them. They compile the source I gave them and compare it to the binary, and I'm in trouble. I've committed copyright infringement, and we all know from years of FBI warnings what that means exactly. The simple fact is, he's trying to apply security policies that shouldn't be applied in an environment that requires the level of security he describes. What kind of FBI security policy would approve the use of open source without requiring it to be audited? Furthermore, what kind of government organization would purchase mission-critical software from a no-name company? Especially when there are a few reputable large companies available to give it to them.
He ignores the GPL quite blatantly here, and that is the government's insurance that the binary they run will be as secure as they can make it.
Open source software goes through rigorous security testing, but such testing serves only to test known outside threats. The fact that security holes continue to appear should be enough to deter governments from jumping on this bandwagon, but won't be. Worse though, I don't think that security testing can be made robust enough to protect against someone injecting dangerous code into the software from the inside--and inside, for open source, means anyone who cares to join the project or create their own distribution.
MOst of this paragraph is doubly true about closed source companies because they are closed. An open company is subject
However, the diversity, the forkedness of OS software means there are thousands of variations that would all need auditing.
Um, no. First of all, software isn't forked that badly, in general. Second, you only need to audit the version you are planning to deploy. If it doesn't pass muster and there's a fork available that claims that it will, you audit that. If there's no fork available, you look for another piece that'll solve the same problem. If it's not available, then you patch the first one or develop from scratch in-house. IN any case, it's never necessary to audit all the thousands of free software packages out there.
If I were running things, government agencies would be required to audit all source code before deploying the application, and they'd be required to compile it themselves, with a 'trusted' compiler, that they also compiled themselves. (Now someone show me what'shisfaces comment about how you can't trust the compiler).
The whole 'trusted source' thing takes care of many problems. Say NSA audits sendmail and actually determines that it's 'safe' (heaven forbid!). Now Everyone Else knows that NSA liked it, and they may not need to audit it themselves, they can just go with the version NSA audited. See what I mean?
In a paranoiac's world, a 'trusted source' is necessary for any software distribution method, open or closed souce in origin.
In a paranoid's world, there is no such thing as a trusted source. :)
Free energy as in speech already exists, if you know where to look for it. :)
Generator Joe has quite a few.
Bowers Power has some as well.
Google knows all
Propane generators can usually be powered by natural gas as well. They have lower emissions than gas or diesel generators, are generally quieter, and can also be a lot cheaper in operating costs. I don't know if that makes your TCO lower than just hooking into the power grid, but free energy as in speech is here and now. But it's not free as in beer, and the cost to set it up is much higher than just getting an account with your utility guys.
Now for ways to reduce your costs. Most homes already have natural gas powered heaters, so we'll ignore heating this time.
These guys sell propane-powered replacement for appliances that are typically electric these days. Replace your fridge, dryer, and washer, and that knocks out 90% of your electric bill (except for air conditioning).
For air conditioning, I didn't find anything outside just replacing the source of electricity to the air conditioner.
Of course, if you live in a dry climate, swamp coolers are pretty nice.
We also know that the genetic sequencer, as long as it is, is nowhere near long enough to provide an actual "blueprint" of the organism being built.
Mmmmm, so it's just a checksum, then?
If you're going to launch something that big, I think you'd keep it up there. Not much point in a large reentry craft.
Hmm, not necessarily. Maybe. :) The main thing I'm thinking is that you need to be able to send lots of people at once. What's the crew capabilities on the Seawolf? I didn't check. I suppose if we're just talking about a passenger shuttle craft, it doesn't have to be as big as all that in order to carry lots of people. The reason the shuttle has to carry so much 'dead weight' is because it has to support the crew for awhile when it gets up there, but if it could just go straight to orbit and dump its payload of passengers, it can probably be a bit smaller and still carry plenty of people.
The point the GP was making, which I thought was a good point, is that the Seawolf class sub has to live in many of the same conditions of space, and it does so. The problem he ignored is propulsion. The Seawolf is actually pretty small compared to a deep-space vehicle, I think, because of that one small thing. Sure, you could stick some ion drive units on there powered by the nuclear plant, but how fast would it go, then? How long would it take to accelerate? That's the real question. :) Of course, if you cut the crew in half or more, which you're safe to do when you remove the weaponry because you don't need people to man the weapons stations, then you have more room for propulsion.
I'm curious enough about this that I'd be interested in seeing a breakdown of how much each component and system of the Seawolf-class sub weighs. I don't want anything classified, of course, but if someone can give this information I'd really be interested in seeing it.
As a Mac/FreeBSD user, who understands that people have to use Windows, I have a question. Why do people hate Windows Me specifically? As a product, I realize it's stupid to upgrade to (Win98 + different salad dressing), but if it was just that I don't see why people would hate it so much. From people I've met, it sounds like installing Me is the worth thing you can put on your box; people would rather use 98. Is it just that the removal of real mode DOS causes more problems than it solves or something?
Hmm, I'll give it a go, but I may not have it quite right.
Windows ME uses the same HAL as Windows 2000, but it's strapped onto an 'upgraded' win9x kernel, which is the old DOS kernel, as far as I know. True to form, Microsoft didn't quite get it right, so the HAL itself is extremely buggy and prone to failure. Since they were still kicking around the old DOS kernel, they still didn't have a decent threading model, and shit still interfered with one another. The 'improvements' wound up being more trouble than they were worth. I guess I would liken it to backporting Linux 2.6's HAL to Linux 2.0 and patching it with a bunch of untested crap from Siberia, passing it through 4 beta-testers who all just clicked on "My Computer" and said "Works Great!", and then releasing it.
From a usability point of view, it's slower than win98 by a long shot, drivers are few and far between (uses Windows 2000's HAL, but can't use Windows 2000 drivers, so ME requires a special set of drivers that don't work in any other version of Windows), and tends to crash if you have too many processes running. It's less stable than win95, more like the old Amiga OS in the 1.2 days without the cute guru meditations.
Actually, I used it for awhile and didn't experience any of this. Not that I loved it or anything, just that I didn't have any problems that I could directly attribute to WinME. I went to Win2k soon after it, though, because I wanted the NT kernel, and then finally dumped windows entirely for Mandrake Linux. So I haven't really used a Windows computer in 2 years.
Heh heh, I don't know why you decided to make me your enemy, but your post was dead on. :)
Um, that's nice. Wake me when we have 100% efficient solar cells, so that we can actually have total "captured solar energy". Oh, and when it's possible to manufacture 22,500 square miles of solar panels without utilizing massive quantities of some very nasty materials. Oh, and when the things will install and maintain themselves. Oh, also, and when we cease to have power loss in transmission. Oh, and when we have retrofitted our entire economy to use one power source (alternating electric current), instead of the variety we currently use.
I've actually been thinking about this, and I really don't have any idea how solar cells work, but I was thinking that a small greenhouse-like structure insulated with that fancy aerogel stuff would do an excellent job collecting heat. Right? So now we just have to convert that heat to electricity. Three ways I know of off the top of my head.
No kidding. Like they told me in grade school, we'll be bone dry by 1985! Time to hit the panic button.
I tend to think that we're running out of oil in the same sense that as soon as you're born you're dying. We *will* run out of oil eventually, so it is a problem that should be addressed sooner rather than later. Personally, I don't trust either the oil companies or the freaks like you responded to when they give us estimates for how long the oil we have will last, but I'd really like to see something renewable first (like alcohol) and non-polluting second.
Energy which is distributed so that its source code can be freely examined and modified by the end user?
Isn't that how energy is already distributed? If you want to examine your electricity directly, just stick a hanger in an electrical outlet! :)
Who was it you ask? Canada! How 'bout that, eh? Now ask yourself, why?
Because they're closer than everybody else?
No, see, Canada sends us "Ol", not "Oil". See, Canadians think that the war in Iraq is 'aboot ol'. :)
The Seawolf has a submerged displacement of 8060t dived, and 7,700t surfaced.
Hmm, if I recall correctly, displaced water is supposed to weigh the same as the item doing the displacement. Or am I on crack? Anyway, that's the closest to a weight measurement I found.
So the two begging questions are:
Obviously, if we stripped out all the weapons systems and everything associated with weapons systems, we'll have a lot less weight than before. So there's room (assuming NASA can even lift that much into orbit) for improvements.
Of course, they could just take the basic systems that NASA needs, weigh them and so forth, and then design a shuttle to use them. :) Not that that would be easy in itself, nuclear plants aren't light.
The blog should last about as long as it takes Michael Dell to take his tongue out of Bill Gate's bunghole.
From the interview:
In other news, I love Texas businessmen. :) Check this out:
Not that I love Dell, or Michael Dell specifically, just that I really like the way Texas businessmen talk about their competition from time to time. There isn't any of this "we're gonna rule the world" crap. Usually just "as much as I can get, and I can get a lot". ;) (Only New Mexicans want to rule the world, and then they move to Seattle and find the drones to do it with :( )
My wife brought home a contract of adhesion one time. We had to get EMS out here to separate my dick from her boobs.
Oh wait, I thought that said "contraceptive of adhesion". Never mind! Carry on!
If you add on line 3,567 in comments.pl the following line:
Then you'll have it!
I don't agree with their religion, but you still have to be fair to them. Most Mormons understand justice a lot better than they understand SCO's antics.
Hmmm, do the Mormons practice the Golden Rule? 'Cause I just enforce it on them, that's all. If they don't like the way I'm treating them, well, *cough*. :)
Actually, for this to be a proper example, there also needs to be an attachment of Darl's private fortunes. If the CEO can get away with his pockets full, then it isn't much of an example. If a company is dying, the CEO doesn't care about the company, he cares about himself. So unless you ensure that HE has to pay, you haven't discouraged copycats very effectively.
IN that case, we'd need to buy a significant portion of their stock and then sue Darl when all SCOs shit hits the fan. As stockholders, we could sue him for fucking over the value of the stock. :)
Granted, a bit of a riskier situation, and it would require buying the stock before the price tanked. Not that I'd contribute. I'm looking forward to seeing the IBM Inquisition on Darl's ass. Nobody expects it!
Thanks, but I've already torn through most of the Baen Free Library, at least the stuff that's real science fiction. Seems like most of it is heroic fantasy, and I'm just not that interested in swords and chivalry and troll riddles anymore.