The line of reasoning is an software-attribute specific application and has little or no known real-life (or human social) aspect that mirrors my statement, except for maybe Monte Carlo (gambling).
The grid axis are: Past (X) and Future (Y). I'll demonstrate that X is independent of Y, hence my original posting.
One can have a perfectly good piece of usable software with no know past or future bug. Quite an achievement that OSS hopes to demostrate (and I truly do hope so). DJS-DNS is a potential contender for this category.
Other can have a perfectly good piece of software with lots of hidden/undiscovered (future) bug. I'd say Wordperfect and Lotus-1-2-3 is one of them. (don't ask how I know this).
3rd combination: Software that has an intensive buggy history but performs admirably would be BIND and DHCPD. I'd like to say sendmail, but GOSH, those M4 rule syntax processing looks error-prone.
Worst combination: Lots of reported bugs, and lots of future bugs. Netscape! Surprised? Don't be. It hasn't reach critical mass level yet (and probably won't).
Actually, that approach would disqualify you from any Quality Assurance position in any industry. (It does make for a perfect job interview question).
The real answer is:
"The quality, severity and frequency of reported bugs is no indication of a product's buggy future, UNLESS you are willing to go through the code yourself and deemed it bug-less."
You may remember a toy that is filled with semi-jelled fluid and sparkley glitters of which when you squeeze it, it escapes your hand.
I would rather have my financial records zip shut than anything else. To watch my bank's 100s of affiliates consolidate my financial activities into a single location of which is then squirted out with no compunction nor adherance to the law to many other places other than your usual uber-credit bureaus.
Submitting your Privacy Act requests, no matter how complete, is like "a lil' Dutch Boy's putting his finger in the dike."
When ATM machine first came out in 1973 at a local bank, later Walpole Bank, behest United California Bank, bestows First Interstate, then...never mind), now installed one diebold NCR ATM machine in my neighborhood.
Eager to try them out, I sent away an ATM card. Weeks later, an envelope arrived. Ripped it open to reveal a bright competition orange ATM card with my slighty sunken embossed name on it. It looked just like a credit card (holo-logo wasn't out yet). Back then, the PIN number came with the CARD (snicker).
First act was dash down to the bank and insert the card in. I then explored all menu options, just to see what my options were.
Second act was to withdraw what little money I had in my kiddie saving account. Done. not bad.
Third act was to press the deposit (curiosity kills the cat?). It ask for the amount. I entered in $1000.00 and low and behold, the envelope drawer mouth opened up. I stared at it as if a hippo, at the zoo, were beckoning for some food.
After a mad grapple for an envelope and realized that I wasn't going to go through with this notion because I didn't have that much cash on hand (this is 1973 and I was only a kid).
So, after MUCH trepidation, in went the empty envelope. And the monstrous mechanical mouth snapped shut.
Curious about that automated deposit procedure, I checked my balance and I was a thousand RICHER! Way!
Even more curious, I proceed to withdraw the ill-gotten gain. We all recall that ATM has daily limit per account, but no ma'am. This one coughed up all requested $1000 upon withdrawal.
I knew no laws were in place with regard to electronic bank robbery (or illegal electronic fund transfers for that matter). But this was definitely a technical glitch. I can't tell you how wide my grins were. A literal kid in a proverbial candy store.
Walked, no, ran home with those 1K wads of 20s.
(end of the story?) Nope, my dad gets a phone call the following Monday and tells us that "the bank made an error" and that we owed them 1K.
Moral of the Story? There isn't any. --- Well... Maybe.... Just enjoy life to the limit.
Thank you open-source for opening my eyes to a better software through open-colloberation and open-cooperation. You've shatter my belief that corporation can fix after themselves.
Instead, we see tons of industries built upon MS insecurities.
Time to experience another industry bubble-burst, this time in the security sector, not I&T.
I'm surprised that this isn't mentioned, but you can start up your very own CA server, complete with revokeable certs for your domain's webservers, mail servers, mail accounts and (yikes) signed software.
I've subscribed to Boot magazine since the first issue came out and still am receiving Maximum PC.
The psuedo-trademark "Kick Ass" still gets my attention.
Then there is CPU magazine which is a shiny competitor of Maximum PC.
Between the two of them, I'd say that Maximum PC is still about their "maxim" where as CPU covers a broader topics (much like PC Magazine).
The reviews of bleeding edge technology (of x86 platforms) is best cornered by MaximumPC and no other publications.
Then there is Maximum PC's "Watchdog." Ooooh, nothing like blasting inept and shoddy vendors out of the water with scathing choices of English Language. Woof!
Those are my humble two cents worth (after adjusting for inflation).
I know ethereal has a leg up on APriori-based protocol detector but I sure like to see that extended to other forms of Layer 2 (other than Ethernet DIX version 2).
My house sits what like 20 yards from the FTTH junction box.
I can't get FTTH because SBC/SureWest (and any other FTTH competitors) are understaffed to do rollouts. Their current focus is right now on new housing developments and tracts.
20 yards! Oh the torture of staring at this FTTH junction box as I drive/walk by every day.
SCO Unix (and OpenServer) is derived from
SCO XENIX 3.0 (Feb 84) and
XENIX OS (Aug 25, 1980) and
Unix System V and
UNIX Time-Sharing System (TSS) Seventh Edition (Jan 1979).
Get a load of this...
Linux 2.2.16 (June 7, 2000)
went into UnixWare NSC 7.1.1+LKP (August 21, 2000)
Linux 2.4.0test8 (Sept 8, 2000)
went into UnixWare 7.1.1DCFS (nov 27, 2000)
So, my take is, for the SCO PR machine to even remotely use the word "Linux", makes this an instant (and potential) fraudulent case of which Linux can pursue.
SCO intent is probably really is closer to GNU-part than it is with Linux-part (GNU/Linux?)
Every program has bugs. There is no way around it. What makes the difference though is how you respond to bugs when they are found.
I vehemenetly disagree with the premise above.
There is no bug in the code of which I wish to add one to a variable:
a += 1;
More than 80% of the programmer will agree with me that it is possible to write a perfect program (provided that such a problem statement is carefully written).
One leading IPS vendor, Tippingpoint.com, can actually catch a specific protocol across any ports, such as eDonkey, Gnutella, KaZaA, Sharaza.
University love these IPS products as a form of bandwidth saving measure.
The unit usually pays for it own cost in form of bandwidth reduction (or avoidance of shelling out $$$ for additional bandwidth) in less than a year (or two).
Oh, it also blocks those pesky HTTP tunneling proxy that student uses to defeat cheaper and less effective IDS vendors.
Not to mention blocking about-to-be-successful trojan sessions. And many protections against many software vulnerabilities (ie. Code Red, Sache, BugBear...)
NSM is the sagging NIDS/HIDS vendors' response to the IPS-industry and I predict this will largely fail to attain their goal as the various NSM books are outdated already. This is why...
There is Prevention, Monitoring and Response in that order. Each stage incurs a tremendous cost-fold as an event progresses each stage. Nip this at the bud where is should be and that is Prevention.
NIPS products are not easily bypassed compared to their heathen-breathen (IDS, NSM, FW) due to their in-line "bump-in-the-wire" characteristics. One IPS vendor's ability to detect encrypted sessions data are the envy of the IPS industry. Another tracks unidentified protocols (by the use of known-protocol filter). Government loves these features.
My take on false positive is stated earlier in this Slashdot post.
The real 1st-generation IPS goal is to reduce event-logging, absolute control of malicious traffic (i.e., trojan, DoS) and operational cost-saving across the board.
The 2nd-generation IPS will emcompass the viral checking of various payload as well as additional firmware-based algorithm for high-speed checking.
NSM is still riding the IPS coattail from afar. Go where the real technological and cost-saving lead is: Prevention as in IPS.
Slashdot Mirror
Shooting from the hip has costly implication. So, shame on me...
Thank you... "insignificant indication" might be what I was shooting for.
You will noticed that if you visit the website, enter in your data, that only the last 10 entries are shown.
AND that only the first 10 are tabulated, despite what they say are periodical.
It is suspicious tabulation so far....
The line of reasoning is an software-attribute specific application and has little or no known real-life (or human social) aspect that mirrors my statement, except for maybe Monte Carlo (gambling).
The grid axis are: Past (X) and Future (Y). I'll demonstrate that X is independent of Y, hence my original posting.
One can have a perfectly good piece of usable software with no know past or future bug. Quite an achievement that OSS hopes to demostrate (and I truly do hope so). DJS-DNS is a potential contender for this category.
Other can have a perfectly good piece of software with lots of hidden/undiscovered (future) bug. I'd say Wordperfect and Lotus-1-2-3 is one of them. (don't ask how I know this).
3rd combination: Software that has an intensive buggy history but performs admirably would be BIND and DHCPD. I'd like to say sendmail, but GOSH, those M4 rule syntax processing looks error-prone.
Worst combination: Lots of reported bugs, and lots of future bugs. Netscape! Surprised? Don't be. It hasn't reach critical mass level yet (and probably won't).
Cluestick...
non-MP3...
dead battery...
Sony R&D, try again. You missed the general populance.
Actually, that approach would disqualify you from any Quality Assurance position in any industry. (It does make for a perfect job interview question).
The real answer is:
"The quality, severity and frequency of reported bugs is no indication of a product's buggy future, UNLESS you are willing to go through the code yourself and deemed it bug-less."
Diebold can't even do the verify part. Why are they even allowed to do this?
.... "Trust But Verify."
We need to get those policy maker to repeat after themselves: "Trust But Verify", "Trust But Verify"
All boils down to my post's subject title...
You may remember a toy that is filled with semi-jelled fluid and sparkley glitters of which when you squeeze it, it escapes your hand.
I would rather have my financial records zip shut than anything else. To watch my bank's 100s of affiliates consolidate my financial activities into a single location of which is then squirted out with no compunction nor adherance to the law to many other places other than your usual uber-credit bureaus.
Submitting your Privacy Act requests, no matter how complete, is like "a lil' Dutch Boy's putting his finger in the dike."
Privacy Act doens't work anymore.
When ATM machine first came out in 1973 at a local bank, later Walpole Bank, behest United California Bank, bestows First Interstate, then ...never mind), now installed one diebold NCR ATM machine in my neighborhood.
Eager to try them out, I sent away an ATM card. Weeks later, an envelope arrived. Ripped it open to reveal a bright competition orange ATM card with my slighty sunken embossed name on it. It looked just like a credit card (holo-logo wasn't out yet). Back then, the PIN number came with the CARD (snicker).
First act was dash down to the bank and insert the card in. I then explored all menu options, just to see what my options were.
Second act was to withdraw what little money I had in my kiddie saving account. Done. not bad.
Third act was to press the deposit (curiosity kills the cat?). It ask for the amount. I entered in $1000.00 and low and behold, the envelope drawer mouth opened up. I stared at it as if a hippo, at the zoo, were beckoning for some food.
After a mad grapple for an envelope and realized that I wasn't going to go through with this notion because I didn't have that much cash on hand (this is 1973 and I was only a kid).
So, after MUCH trepidation, in went the empty envelope. And the monstrous mechanical mouth snapped shut.
Curious about that automated deposit procedure, I checked my balance and I was a thousand RICHER! Way!
Even more curious, I proceed to withdraw the ill-gotten gain. We all recall that ATM has daily limit per account, but no ma'am. This one coughed up all requested $1000 upon withdrawal.
I knew no laws were in place with regard to electronic bank robbery (or illegal electronic fund transfers for that matter). But this was definitely a technical glitch. I can't tell you how wide my grins were. A literal kid in a proverbial candy store.
Walked, no, ran home with those 1K wads of 20s.
(end of the story?) Nope, my dad gets a phone call the following Monday and tells us that "the bank made an error" and that we owed them 1K.
Moral of the Story? There isn't any.
---
Well... Maybe.... Just enjoy life to the limit.
OMG.
This is the ulterior motive of Microsoft's partial source release is to pull another SCO-styled lawsuit in a few years (or months).
Who needs another SCO with a bigger bankroll?
Don't even click-approve their EULA when getting their source.
Need we say more?
How many more years of baseless stupidity of open security holes must we endear?
How much longer is security through obsurity going to carry a clueless monopoly to its demise.
Patience has its virtue. But for the end-user, only fools would get lucky. Not this time, Bill.
I'm sticking with Firefox/Mozilla. Mozilla
Thank you open-source for opening my eyes to a better software through open-colloberation and open-cooperation. You've shatter my belief that corporation can fix after themselves.
Instead, we see tons of industries built upon MS insecurities.
Time to experience another industry bubble-burst, this time in the security sector, not I&T.
I know I did, and boy am I glad.
http://www.openca.org
Never mind the naysayers of having your own CA, I benefited greatly, and so should you.
I've subscribed to Boot magazine since the first issue came out and still am receiving Maximum PC.
The psuedo-trademark "Kick Ass" still gets my attention.
Then there is CPU magazine which is a shiny competitor of Maximum PC.
Between the two of them, I'd say that Maximum PC is still about their "maxim" where as CPU covers a broader topics (much like PC Magazine).
The reviews of bleeding edge technology (of x86 platforms) is best cornered by MaximumPC and no other publications.
Then there is Maximum PC's "Watchdog." Ooooh, nothing like blasting inept and shoddy vendors out of the water with scathing choices of English Language. Woof!
Those are my humble two cents worth (after adjusting for inflation).
I know ethereal has a leg up on APriori-based protocol detector but I sure like to see that extended to other forms of Layer 2 (other than Ethernet DIX version 2).
Groan...
My house sits what like 20 yards from the FTTH junction box.
I can't get FTTH because SBC/SureWest (and any other FTTH competitors) are understaffed to do rollouts. Their current focus is right now on new housing developments and tracts.
20 yards! Oh the torture of staring at this FTTH junction box as I drive/walk by every day.
Oh, the horror...
Is this the same principle as yelling "Fire" in a movie theater?
Lemme see...
SCO Unix (and OpenServer) is derived from
SCO XENIX 3.0 (Feb 84) and
XENIX OS (Aug 25, 1980) and
Unix System V and
UNIX Time-Sharing System (TSS) Seventh Edition (Jan 1979).
Get a load of this...
Linux 2.2.16 (June 7, 2000)
went into UnixWare NSC 7.1.1+LKP (August 21, 2000)
Linux 2.4.0test8 (Sept 8, 2000)
went into UnixWare 7.1.1DCFS (nov 27, 2000)
So, my take is, for the SCO PR machine to even remotely use the word "Linux", makes this an instant (and potential) fraudulent case of which Linux can pursue.
SCO intent is probably really is closer to GNU-part than it is with Linux-part (GNU/Linux?)
Good luck...
There is no bug in the code of which I wish to add one to a variable:
More than 80% of the programmer will agree with me that it is possible to write a perfect program (provided that such a problem statement is carefully written).The rest of the 20% can go take a hike. :-P
Seems like the future is no longer "Security Through Obscurity" but more like "Trust but Verify"
;-)
I trust you
Only 0.41?
I'd gladly pay $1.50/gallon for this stuff!
What a markup for these biodiesel guys!
Big Ugly Fat F***er
Long may she fly into the next two decades!
Bammkkkk,
Ok, ok... I'll suck it up. I, personally, wouldn't go without monitoring myself either.
So, I do agree with you wholely on all your points.
Could you at least agree that prevention is the forefront cornerstone of all defense mechanism?
After all, prevention is a frequent dictum in the "Arts of War."
One leading IPS vendor, Tippingpoint.com, can actually catch a specific protocol across any ports, such as eDonkey, Gnutella, KaZaA, Sharaza.
University love these IPS products as a form of bandwidth saving measure.
The unit usually pays for it own cost in form of bandwidth reduction (or avoidance of shelling out $$$ for additional bandwidth) in less than a year (or two).
Oh, it also blocks those pesky HTTP tunneling proxy that student uses to defeat cheaper and less effective IDS vendors.
Not to mention blocking about-to-be-successful trojan sessions. And many protections against many software vulnerabilities (ie. Code Red, Sache, BugBear...)
NIPS addresses all of the issues stated above.
Try www.TippingPoint.com.
There is Prevention, Monitoring and Response in that order. Each stage incurs a tremendous cost-fold as an event progresses each stage. Nip this at the bud where is should be and that is Prevention.
NIPS products are not easily bypassed compared to their heathen-breathen (IDS, NSM, FW) due to their in-line "bump-in-the-wire" characteristics. One IPS vendor's ability to detect encrypted sessions data are the envy of the IPS industry. Another tracks unidentified protocols (by the use of known-protocol filter). Government loves these features.
My take on false positive is stated earlier in this Slashdot post.
The real 1st-generation IPS goal is to reduce event-logging, absolute control of malicious traffic (i.e., trojan, DoS) and operational cost-saving across the board.
The 2nd-generation IPS will emcompass the viral checking of various payload as well as additional firmware-based algorithm for high-speed checking.
NSM is still riding the IPS coattail from afar. Go where the real technological and cost-saving lead is: Prevention as in IPS.