FC3 repositories have been caught up for months. It is really worth checking out if you ever get the chance. I don't know if you've ever used debian, I have, I still have one server running debian. I used to have many more servers running debian but they've been phased out with fedora. Honestly, unless your running Debian stable, the thing will break your machine about once a month (although I install a lot of software and thus get alot of updates). It won't break so bad that you have to reinstall the OS or even reboot, but it'll break some little thing that I personally didn't have the time to fiddle with. Alot of wierd things go on with their repositories (personally I think it needs to be more centrally managed by less people or people in more communication). Right now the only reason I haven't phased out my last debian server is for uptime, but there is an issue that I'm having with apt and dependencies right now so I can't even grab updates until I resolve this. Going into #debian on irc is never any use to anyone... they'll laugh you out of there. That's just my perspective on the thing. Take care. Regards, Steve
Please go download Fedora and tell me if up2date isn't free anymore (all updates are free, not just security related ones). Even if your running one of redhat's servers, you can simply switch your yum repositories and up2date is free again. I've been using redhat for 6-7 years and they've never once asked me for a penny. Regards, Steve
Fedora never asks for money anywhere, ever and updates are free. On their enterprise servers just switch the yum repositories (very simple to do). Although for their enterprise line, switching repos works fine, you may want to also check out CentOS.org . Regards, Steve
Red Hat as always continues to develop more kernel,gnome, and freedesktop code then anyone else. They pay the salaries of some of the greatest minds in the linux community and are mostly responsible for where Linux is today. Give them a little slack... Fedora 1 is RH10, same engineers and process, they just stopped asking for money. Regards, Steve
Fedora 1 was RH10, why do people keep saying otherwise? Same exact design process with the same exact engineers, they just stopped asking for money. Stop spreading misinformation. Fedora Core 3 is more stable and reliable then any other desktop distro on the market currently. Sure, as a corporation they may have painted a bad picture, but don't base your oppinions on fud that's been fed to you, base it on technical merits, try FC3 and you'll see how great it is. Regards, Steve
Fedora Core 1 was RH10. It was simply a name change, nothing else. Same engineers still working on it. The distro is still rock solid and even easier to use then RH9. The only thing they did is decide to not ask for money for it anymore. Honestly, check out FC3 if you ever get the chance, you won't be disappointed. Regards, Steve
From my perspective: Red Hat is really the only distro on the market that reliable works well, at least from my experiences. For clients interested in linux, Fedora or Red Hat Enterprise Desktop(depending upon their level of necessary support, and amount of cash) have really worked out amazingly well. Fedora, despite it's "bleeding edge" schedule has worked nicely for servers as well and the upgrade path from FC2 to FC3 was as easy as a yum update for most of my clients. I am very impressed with it. Regards, Steve
FC1 -> FC2 had some minor issues. FC2 -> FC3 had very very few reported problems with people upgrading. FC3 is probably the nicest distro on the market right now and judging form the work that has been going into FC4, FC4 is going to be amazing. If you were disappointed by FC1, I'd check out FC4 when it is released. FC3 is very nice and polished. Everything just works, yet it retains the power of linux. I've been very impressed with it. Regards, Steve
What are you talking about? Up2date is completely free, and Fedora is an excellent distro with all the same engineers behind it that built the world reknowned previous versions of the Red Hat desktop. Don't let the fud on slashdot let you think otherwise, its the only distro out of about 7 that I've tried that works on my laptop. Everything is super easy to use, set up, and configure. Its one of those distros that retains the power of linux, but everything just works. I'm very impressed with it, so much so that it has been phasing out my debian servers. I actually currently only have one debian server left, more so for its uptime then anything else:) Regards, Steve
Remote root, local root, and escalation privilege attacks are all easily stopped by SELinux, go grab Fedora and find out for yourself. By the time Linux hits critical mass, SELinux should be common among all distros. Regardless, there are usually very few of the type of exploits your talking about, at least with a setup that is nothing more then a central place for users to log in and have a home dirctory. Regards, Steve
On the east coast of the States, Philadelphia, New York, Boston, and the other big cities are really picking up pace in the linux arena, more so on the server side but every now and then on the client side as well. I don't know if it'd be a feasible business model to focus solely on consulting for linux based businesses or businesses that are interested in linux, but it definilty helps to add it to your "bag of tricks". Pretty much as a consultant you should recommend the best tool for the job and increasingly this is becoming linux. If I were you, I'd definitly start consulting on linux systems, its a fairly small market right now so you might not want it to be your only focus, but their is room for ton's of growth and according to forecasts, by 2008 the business should be huge. Regards, Steve
It really depends on the company and skill level of the admin. The typical person on slashdot is not the typical windows admin. I've seen plenty of shops where the ratio was as low as 1:12 and the admins were still freaking out and had no idea how to handle themselves. On a side note however, not only is the ratio of admin to user better for linux because of easy administration tools and things that just work(tm) but its also much easier to just say "okay here is your home directory, have fun" Lock them from the rest of the system (every distro I've seen does this by default more or less). Do an incremental rsync of their home directories everynight and if something ever goes wrong just delete their home and replace it with a good copy. The nice thing about linux is that once it gets running, it stays running. This is from experience of setting up shops with Fedora or Red Hat Enterprise Desktop depending on their needs and level of necessary suport etc... Regards, Steve
Excuse me? Use tripwire to keep track of every hash of every file. Also rsyncing to a remote lcoation helps a ton as any discrepancies tripwire finds can be easily fixed by reverting to the version in rsync, assuming tripwire says that the hash is right. This is only an issue anyway if you run as root. If you have a machine that you *know* hasn't been ran as root for a while (at least since infection) or if it has been ran as root, you know exactly what was ran, then all you have to do to clean a machine is remove executable permissions from every file in your home directory kill any of your user processes, backup any important things (data, no binaries), and delete your home folder and start over from an empty home. This assumes no privilege escalation (which is rare) regards, Steve
You've obviously never installed windows... I wish it was that simple. The only time it is ever that simple is if your using a vendor provided recovery disk. Otherwise you would boot to a nearly unusable system with absoultely no software other then a browser, media player and paint. If you want some functionality like a recovery cd install where you just pop in a disk and away it goes use Yoper. If you want something with more choice but still easy to use and install, get Fedora or Suse. (despite the distro wars, both are really nice) The Fedora install more or less consists of choosing whether you want to do a desktop install, server install, workstation install, or advanced install. Assuming you select desktop install, everything else is done for you other then a few quick questions (like name and stuff). Everything is autodetected (although you are asked to verifiy it and can change it if you so desire). The Suse install, while different, is just as easy. And regardless of your choice of distro, you'll be left with a freshly installed system that is secure, does not "call home" or have any ports open unless you specified differently and contains enough software that most users could probably get away with never having to install anything else ever. Not to mention an easy to use updating system that updates all of your software, not just select microsoft choices. As far as I'm concerned, Linux beats Microsoft and it is MS that needs to catch up and learn a thing or two from us. Regards, Steve
The best part is not only is the toolbar optional but to turn the linking feature on you have to press a button each time you'd like it to autolink stuff. (i.e. once per web page/per view) so the feature isn't even pushed on you even if you decided to grab the toolbar. Furthermore, Google made it extremely easy to switch the mapping service to two of their comptetitors, MapQuest and Yahoo! Maps. Microsoft would never ever do a thing like that. This is why Google is Good, and Microsoft is evil forevermore:) Regards, Steve
Their analysis was based on number of patches and time it took to get patched from the time it was publically released. Microsoft stays quiet about most vulnerabilities until a patch is ready and will ship it some time that month, thus the average 30 days. In addition to this, there are still IE holes unpatched from last july. This didn't make the report because its a server. Also, Linux comes with *much* more software by default and much more functionality. They said that these were default setups. That means that if they were using a distro like Red Hat, every single program gets updated as necessary over 2000 programs judging from one of my boxes). Far fewer programs get updated from Windows Update (usually only core programs and utilities... or things that Microsoft deems necessary).
Also, many OSS exploits are theoretical in nature... if a strcpy() passes an unchecked ptr and some coder sees this... whether or not that code could have been exploited... he fixes it and out goes the patch. Its a patch for something that may have never been even able to be taken advantage of. That would never happen in a commercial project. All this study shows is that these researchers define security as the ability to hide security problems as long as possible until a patch is ready and if the patch never gets ready, just never tell anyone about the problem. Following the two above stated rules would easily make any software company "secure" by their standards. As stated previously, their criteria was # of patches and time to release. Time to release is shortened by waiting until the patch is ready (which Microsoft does) and # of patches is shortened by simply not releasing non-major patches and just rolling them out with the next version. The criteria these guys used was meaningless and if anything shows that linux is doing something right if they are updating several times more programs with only twice the delay (which i really doubt is the true delay time). One other thing worth noting, the Ford guy has been paid by Microsoft several times to do studies and release them in favor of MS, I'd hardly call him a true linux fan. Maybe this time they just covered it up better... you wouldn't want to bite the hand that feeds you. Regards, Steve
Red Hat has been working on this for months now. It's already able to be ran and now Nat from Novell hopped on board too. Its going places, and very quickly. The architecture is the most advanced design of an graphics system today. More so then Longhorn and OSX. Regards, Steve
Relax... it still takes 2^69 tries. That is 590,295,810,358,705,651,712 hash operations. To brute force sha-1 it takes 2**80. This is only 2**11 times faster then a brute force attack... thats 2048 times faster. Its significant but it's not that big of a deal. It is no more significant then if someone with a 2000 node cluster tried to brute force your hash (which is completely feasible...especially for large government agencies like the NSA). In other words, if you were capable of performing 1 trillion (1,000,000,000,000) hash operations per second, it'd still take nearly 19 years for a collision to be found. I assume the NSA can knock that number down to under 24 hours, but thats expected of them. For anyone else in the world, assuming your not being followed by the NSA... and god help you if you are... sha-1 will still be fine and the entire internet security infastructure will not need to be redesigned. Regards, Steve
No, I do believe that ISPs are common carriers and thats why they aren't responsible for kiddie porn, hacking, p2p, spam, etc... The second they start filtering, they become a private carrier and at that point they are instantly liable for all the kiddie porn etc... traveling over their lines. They might be getting away with this for now, but I can't wait for this to bite them in the ass.(Yes it will eventually happen, the government just takes its time. Kind of like with the Janet Jackson thing... the FCC kept letting more and more slip through their fingers onto the airwaves, one halftime show too much and they clamped down on the whole industry. Same thing will happen here) Oh and btw... spam filtering is a service sold to the consumer... try advertising that you actively block competition as a feature and see how far you get. Regards, Steve
They honestly don't care about CentOS, read their developer mailing lists. CentOS guys ask will often ask questions and Red Hat engineers almost always promptly respond with good and accurate information. Red Hat doesn't view them as a threat, afterall Mandrake is a fork of Red Hat and it hasn't damaged Red Hat at all. Red Hat is simply doing what it is legally bound to do, read this for more info. Red Hat is a really nice distro and bashed way too much on slashdot:) Regards, Steve
Slashdot Mirror
FC3 repositories have been caught up for months. It is really worth checking out if you ever get the chance. I don't know if you've ever used debian, I have, I still have one server running debian. I used to have many more servers running debian but they've been phased out with fedora. Honestly, unless your running Debian stable, the thing will break your machine about once a month (although I install a lot of software and thus get alot of updates). It won't break so bad that you have to reinstall the OS or even reboot, but it'll break some little thing that I personally didn't have the time to fiddle with. Alot of wierd things go on with their repositories (personally I think it needs to be more centrally managed by less people or people in more communication). Right now the only reason I haven't phased out my last debian server is for uptime, but there is an issue that I'm having with apt and dependencies right now so I can't even grab updates until I resolve this. Going into #debian on irc is never any use to anyone... they'll laugh you out of there. That's just my perspective on the thing. Take care.
Regards,
Steve
Please go download Fedora and tell me if up2date isn't free anymore (all updates are free, not just security related ones). Even if your running one of redhat's servers, you can simply switch your yum repositories and up2date is free again. I've been using redhat for 6-7 years and they've never once asked me for a penny.
Regards,
Steve
You might want to check this out. It's not half as complicated as it seems and has always worked for me.
Regards,
steve
Fedora never asks for money anywhere, ever and updates are free. On their enterprise servers just switch the yum repositories (very simple to do). Although for their enterprise line, switching repos works fine, you may want to also check out CentOS.org .
Regards,
Steve
Red Hat as always continues to develop more kernel,gnome, and freedesktop code then anyone else. They pay the salaries of some of the greatest minds in the linux community and are mostly responsible for where Linux is today. Give them a little slack... Fedora 1 is RH10, same engineers and process, they just stopped asking for money.
Regards,
Steve
Fedora 1 was RH10, why do people keep saying otherwise? Same exact design process with the same exact engineers, they just stopped asking for money. Stop spreading misinformation. Fedora Core 3 is more stable and reliable then any other desktop distro on the market currently. Sure, as a corporation they may have painted a bad picture, but don't base your oppinions on fud that's been fed to you, base it on technical merits, try FC3 and you'll see how great it is.
Regards,
Steve
Fedora Core 1 was RH10. It was simply a name change, nothing else. Same engineers still working on it. The distro is still rock solid and even easier to use then RH9. The only thing they did is decide to not ask for money for it anymore. Honestly, check out FC3 if you ever get the chance, you won't be disappointed.
Regards,
Steve
From my perspective: Red Hat is really the only distro on the market that reliable works well, at least from my experiences. For clients interested in linux, Fedora or Red Hat Enterprise Desktop(depending upon their level of necessary support, and amount of cash) have really worked out amazingly well. Fedora, despite it's "bleeding edge" schedule has worked nicely for servers as well and the upgrade path from FC2 to FC3 was as easy as a yum update for most of my clients. I am very impressed with it.
Regards,
Steve
FC1 -> FC2 had some minor issues. FC2 -> FC3 had very very few reported problems with people upgrading. FC3 is probably the nicest distro on the market right now and judging form the work that has been going into FC4, FC4 is going to be amazing. If you were disappointed by FC1, I'd check out FC4 when it is released. FC3 is very nice and polished. Everything just works, yet it retains the power of linux. I've been very impressed with it.
Regards,
Steve
What are you talking about? Up2date is completely free, and Fedora is an excellent distro with all the same engineers behind it that built the world reknowned previous versions of the Red Hat desktop. Don't let the fud on slashdot let you think otherwise, its the only distro out of about 7 that I've tried that works on my laptop. Everything is super easy to use, set up, and configure. Its one of those distros that retains the power of linux, but everything just works. I'm very impressed with it, so much so that it has been phasing out my debian servers. I actually currently only have one debian server left, more so for its uptime then anything else :)
Regards,
Steve
Remote root, local root, and escalation privilege attacks are all easily stopped by SELinux, go grab Fedora and find out for yourself. By the time Linux hits critical mass, SELinux should be common among all distros. Regardless, there are usually very few of the type of exploits your talking about, at least with a setup that is nothing more then a central place for users to log in and have a home dirctory.
Regards,
Steve
On the east coast of the States, Philadelphia, New York, Boston, and the other big cities are really picking up pace in the linux arena, more so on the server side but every now and then on the client side as well. I don't know if it'd be a feasible business model to focus solely on consulting for linux based businesses or businesses that are interested in linux, but it definilty helps to add it to your "bag of tricks". Pretty much as a consultant you should recommend the best tool for the job and increasingly this is becoming linux. If I were you, I'd definitly start consulting on linux systems, its a fairly small market right now so you might not want it to be your only focus, but their is room for ton's of growth and according to forecasts, by 2008 the business should be huge.
Regards,
Steve
Looks interesting, thanks I'll check it out.
Regards,
Steve
It really depends on the company and skill level of the admin. The typical person on slashdot is not the typical windows admin. I've seen plenty of shops where the ratio was as low as 1:12 and the admins were still freaking out and had no idea how to handle themselves. On a side note however, not only is the ratio of admin to user better for linux because of easy administration tools and things that just work(tm) but its also much easier to just say "okay here is your home directory, have fun" Lock them from the rest of the system (every distro I've seen does this by default more or less). Do an incremental rsync of their home directories everynight and if something ever goes wrong just delete their home and replace it with a good copy. The nice thing about linux is that once it gets running, it stays running. This is from experience of setting up shops with Fedora or Red Hat Enterprise Desktop depending on their needs and level of necessary suport etc...
Regards,
Steve
Excuse me? Use tripwire to keep track of every hash of every file. Also rsyncing to a remote lcoation helps a ton as any discrepancies tripwire finds can be easily fixed by reverting to the version in rsync, assuming tripwire says that the hash is right. This is only an issue anyway if you run as root. If you have a machine that you *know* hasn't been ran as root for a while (at least since infection) or if it has been ran as root, you know exactly what was ran, then all you have to do to clean a machine is remove executable permissions from every file in your home directory kill any of your user processes, backup any important things (data, no binaries), and delete your home folder and start over from an empty home. This assumes no privilege escalation (which is rare)
regards,
Steve
You've obviously never installed windows... I wish it was that simple. The only time it is ever that simple is if your using a vendor provided recovery disk. Otherwise you would boot to a nearly unusable system with absoultely no software other then a browser, media player and paint. If you want some functionality like a recovery cd install where you just pop in a disk and away it goes use Yoper. If you want something with more choice but still easy to use and install, get Fedora or Suse. (despite the distro wars, both are really nice) The Fedora install more or less consists of choosing whether you want to do a desktop install, server install, workstation install, or advanced install. Assuming you select desktop install, everything else is done for you other then a few quick questions (like name and stuff). Everything is autodetected (although you are asked to verifiy it and can change it if you so desire). The Suse install, while different, is just as easy. And regardless of your choice of distro, you'll be left with a freshly installed system that is secure, does not "call home" or have any ports open unless you specified differently and contains enough software that most users could probably get away with never having to install anything else ever. Not to mention an easy to use updating system that updates all of your software, not just select microsoft choices. As far as I'm concerned, Linux beats Microsoft and it is MS that needs to catch up and learn a thing or two from us.
Regards,
Steve
" And develop an easy-install linux that works on virtually every big-vendor box with a good GUI"
;)
But that already exists
Regards,
Steve
The best part is not only is the toolbar optional but to turn the linking feature on you have to press a button each time you'd like it to autolink stuff. (i.e. once per web page/per view) so the feature isn't even pushed on you even if you decided to grab the toolbar. Furthermore, Google made it extremely easy to switch the mapping service to two of their comptetitors, MapQuest and Yahoo! Maps. Microsoft would never ever do a thing like that. This is why Google is Good, and Microsoft is evil forevermore :)
Regards,
Steve
Don't give Microsoft too much credit. Here.It's actually a really good track record, but not flawless.
regards,
Steve
Their analysis was based on number of patches and time it took to get patched from the time it was publically released. Microsoft stays quiet about most vulnerabilities until a patch is ready and will ship it some time that month, thus the average 30 days. In addition to this, there are still IE holes unpatched from last july. This didn't make the report because its a server. Also, Linux comes with *much* more software by default and much more functionality. They said that these were default setups. That means that if they were using a distro like Red Hat, every single program gets updated as necessary over 2000 programs judging from one of my boxes). Far fewer programs get updated from Windows Update (usually only core programs and utilities... or things that Microsoft deems necessary).
Also, many OSS exploits are theoretical in nature... if a strcpy() passes an unchecked ptr and some coder sees this... whether or not that code could have been exploited... he fixes it and out goes the patch. Its a patch for something that may have never been even able to be taken advantage of. That would never happen in a commercial project. All this study shows is that these researchers define security as the ability to hide security problems as long as possible until a patch is ready and if the patch never gets ready, just never tell anyone about the problem. Following the two above stated rules would easily make any software company "secure" by their standards. As stated previously, their criteria was # of patches and time to release. Time to release is shortened by waiting until the patch is ready (which Microsoft does) and # of patches is shortened by simply not releasing non-major patches and just rolling them out with the next version. The criteria these guys used was meaningless and if anything shows that linux is doing something right if they are updating several times more programs with only twice the delay (which i really doubt is the true delay time). One other thing worth noting, the Ford guy has been paid by Microsoft several times to do studies and release them in favor of MS, I'd hardly call him a true linux fan. Maybe this time they just covered it up better... you wouldn't want to bite the hand that feeds you.
Regards,
Steve
Red Hat has been working on this for months now. It's already able to be ran and now Nat from Novell hopped on board too. Its going places, and very quickly. The architecture is the most advanced design of an graphics system today. More so then Longhorn and OSX.
Regards,
Steve
They reduced it from 2**80 to 2**69. And the paper hasnt even been released yet so noone knows if that is even accurate.
Regards,
Steve
Relax... it still takes 2^69 tries. That is 590,295,810,358,705,651,712 hash operations. To brute force sha-1 it takes 2**80. This is only 2**11 times faster then a brute force attack... thats 2048 times faster. Its significant but it's not that big of a deal. It is no more significant then if someone with a 2000 node cluster tried to brute force your hash (which is completely feasible...especially for large government agencies like the NSA). In other words, if you were capable of performing 1 trillion (1,000,000,000,000) hash operations per second, it'd still take nearly 19 years for a collision to be found. I assume the NSA can knock that number down to under 24 hours, but thats expected of them. For anyone else in the world, assuming your not being followed by the NSA... and god help you if you are... sha-1 will still be fine and the entire internet security infastructure will not need to be redesigned.
Regards,
Steve
No, I do believe that ISPs are common carriers and thats why they aren't responsible for kiddie porn, hacking, p2p, spam, etc... The second they start filtering, they become a private carrier and at that point they are instantly liable for all the kiddie porn etc... traveling over their lines. They might be getting away with this for now, but I can't wait for this to bite them in the ass.(Yes it will eventually happen, the government just takes its time. Kind of like with the Janet Jackson thing... the FCC kept letting more and more slip through their fingers onto the airwaves, one halftime show too much and they clamped down on the whole industry. Same thing will happen here) Oh and btw... spam filtering is a service sold to the consumer... try advertising that you actively block competition as a feature and see how far you get.
Regards,
Steve
They honestly don't care about CentOS, read their developer mailing lists. CentOS guys ask will often ask questions and Red Hat engineers almost always promptly respond with good and accurate information. Red Hat doesn't view them as a threat, afterall Mandrake is a fork of Red Hat and it hasn't damaged Red Hat at all. Red Hat is simply doing what it is legally bound to do, read this for more info. Red Hat is a really nice distro and bashed way too much on slashdot :)
Regards,
Steve