All you have to do for that is document prior art in a way that is goign to be accepted by the courts and can be found by the USPTO (ok.. th elater is a bit more difficult).
You do not need a patent for that, you do need it to either enforce your exclusive rights or to use against someone sueing you over other patents.
However, I'm really more concerned with the moral issue here. The guy agreed to a certain condition of employmnet. MS honored it part of the bargain, so why the hell shoudn't he stick to his?
If you are concerned about the moral issues, I'd suggest you tsart worrying about companies using such clauses, and not so much about those who agree to them knowing they are not enforcable.
Yes, but keep in mind that(Water/sand/CO2) is only effective against a current blazing fire. If your purpose is prevention/minimization of risk, the US Forestry Service still uses controlled burns in densely forest areas with a high potential of fire, to minimize the amount of fuel a blaze would have in the event of a wildfire.
In the post you replied to I said:
restrict and thereby hopefully control a fire with fire
I would think I had kept that use of fire in mind...
Because water, sand, co2 and such do a much better job at it usually?
Even when using fire, you don't fight fire with fire, you restrict and thereby hopefully control a fire with fire, and then you hope you can fight it afterwards.
I also agree to work 8 hours a day (or more). Does that infringe upon my freedoms?
You may find that in many places the law has something to say about this 'more' part. I agree to write code in VB and not in C++, they way I want to? Does that infringe upon my freedom too?
If you would be bound by contract to only write VB, cannot even touch C++ in your spare time etc? yes. You may find that courts would hold such a condition unenforcable also.
I agree to work in Redmond, and not downtown Seattle? Is that an infringement on my freedom?
If your Redmond employer is going to tell you where you can live as a result, yes.
You can try to find all kinds of silly examples where your freedom is somewhat limited due to your own choices. That is not the same as signing away a right. The first will usually be considered valid (but not if you can later show that the other side of the agreement did in fact force you to sign it by whatever means), the later will usually be considered unenforcable.
A contract can say everything that parties agree upon, but you will find that any unlawfull things you agree upon will generally not be upheld y any court, regardless of how willingly you agreed to it.
I think some actual slaves would argue with your definition of slavey. Slavery invovles force. Actual, physical force.
Slavery involves force, but that can be in many forms, not just physical. You may want to go look into the concept called economic enslavement for example.
I sure do hate that I have to eat to live the way I want. I don't go into the garden of my neighbor and go, "If you don't give me that food right now then you are enslaving me!".
Don't be ridiculous,
It is not about being able to do what you want at any given time, this is about being able to try making a living with your aboilities and your skills. Something which at quite a few places is supposedly guaranteed both due to it being considered a basic human right by many, and in the case of the USA the opposite often results in illegal restriction of trade.
We're not talking a line employee living paycheck-to-paycheck who isn't allowed to work in another factory. We're talking about soemone (lets guess) paid a few hundred grand a year who signed into an agreement knowing very-well the clauses in it. I'm not saying we should base labour laws on the money one makes, but what I am saying is that he's not a victim _FORCED_ to take a job with poor M$ because his kids are starving. He read the contract and signed it, agreeing to its contents.
Putting limits to non-compete clauses is a matter of principe, what kind of job this person held is of no relevance to what is reasonable.
Then google picks him up- he's clearly in high demand and tried to pull a fast one and scoop up an opportunity.
Yes, that is what doing business is about..
There is no loss of human capital but just a shift in it from place to place. And yes, I am looking at it from an employers view (as that's what I am actually in the real world).
For some time now I am running my own business, so I do look at this with experience on both sides of the issue.
There is a loss of human capital because you have people who are highly skilled in something and you cannot have them put that skill to use for an amount of time, which also reduces their level of skill.
From the macro view, the company is also a contributor to the macroeconomic pool. We're talking about a temporary leave, not a mass removal of employees. We're saying "go take a vacation and forget about all those secrets you know...
Especially in the high-tech industries, not working in your area of specialisation for a prolonued time (more then some 6-8 weeks) reduces your skill level.
then go buy yourself a bouncing car and best of luck to you". Sure we could pay for that time, but it would probably come from your weekly salary or reduce the benefits to others.
Peotection of secrets has a price. It is the company wanting to protect them, so they should pay the price.
To me, it's not about what's desirable, it's about what's right.
Not that I know you, but who are you to say what is right? Right and wrong are often a matter of belief.
I believe it is more right to protect society as a whole from loss of productivity, income and knowledge then to protect a company from possible loss of competitiveness, even more so if the company has other means for preventing this.
As I pointed out I don't think all non-compete clauses are unreasonable, but I do believe that in order for them to be reasonable they need to provide compensation for 2 things:
1. Obvious: loss of income 2. Less obvious: loss of recent working experience (which can be a significant disadvantage for finding new employment)
You're comparing a non-competition clause preventing you from working for a direct competitor (hence in the same industry) to slavery? You have got to be kidding me?
Read again. I compared being forced to accept UNREASONABLE conditions in order to be able to get a job to slavery. Not every non compete clause is unreasonable, quite a few are however. I was not in any way comparing the clause itself with slavery.
In his position, he is privy to knowledge of the operations and the products that will be released within the next few months- the idea is that he can't spread that knowledge as easily. He's probably under an NDA, but it prevents slip-ups and conflicts of interest.
So put him on payed leave for 3-6 months.
Plus we're talking about an exec ( a VP in fact ), who is probably making some damn fine money in compensation for 6 months of not working for a direct competitor. That's not a bad deal.
Nope, and I'm not sre if it is such a big issue in this specific case.
There are employers who do NOT have these requirements. If you are against them, simply only apply to those employers. It is the companies protecting themselves from employees who run off and start competing with themselves.
I understand perfectly well why they are there, but I give priority to what is good for the large majority of people over what is good for a tiny fraction of them. If companies wan't to prevent peopel from leaving, they better make sure they offer the best conditions possibel to their employees instead of using clauses that are generally bad for the employees.
A job is not just something you do all day to make money- for many it's genuinely something that we enjoy, a social landscape, a position in life, and more.
No need to tell me, I have worked for the last 2 decades, of which 11 years was spent at IBM. I kow all about the 'scoial landscape' and such it provides for.
Those who know economics: it's "a barrier to entry and exit" to discourage you from leaving or joining other companies quickly while the information you have is still current and can be used against the company in question.
THe micro conomical side of this is extremely obvious. I do believe you should consider that there are more important things then the micro economics of a single company, and that in the end the macro economics are more important. From a macro economic point of view non-compete clauses are a pure loss of experience and human capital.
And let's not get overdramatic. A non-compete clause is not signing yourself over to slavery. It's a pretty reasonable thing to do for an employer.
Quite a few of them are pretty unreasonable to an employee, and being forced to accept unreasonable conditions in order to be able to provide for yourself is a lot closer to slavery then you seem to be willing to consider.
Don't get me wrong, there are imho reasonable anti compete clauses, and I had one with my previous employer that I agreed to and kept to (eventho the clause would not be enforcable where I live) because it was reasonable. Most of the contracts with such clauses that I have seen are not very reasonable however (but often not enforcable)
Bottonline, what is more desirable, something reasonable for a tiny small group, and unreasonable to a very large group or its opposite..
In other words, (and I'm not a coder), but it can be possible for this guy Lee to naturally introduce some concepts from his work with Microsoft while at Google, especially becasue he'll be working in the same capacity.
Ah yes, working experience gets you experience and knowledge.
They hire people who have those on purpose, and should stop whining about the fact that people will take that with them when leaving.
Why? You say "we're willing to hire you but under this condition" (similar to NDAs and other conditions that you are given these days). You as an employee have a choice- choose whether you want to be bound by this agreement. Nobody is forcing you to accept this position- nobody is forcing you to agree to these terms.
You have a choice beteen not getting a job, or accepting a bad condition. That is in fact forcing people to accept the bad condition.
It is a basic human right to use your skills and abilities to provide for your income. Barring someone from his profession for say a year means breaking that basic human right, and it means in many cases a strong devaluation of the skills and experience of such a person.
This is a condition that can only exist due to the power that employers have,
The 'nobody is forcing you' argument is silly, nobody was forcing anyone into slavery either following the same logic. People had a choice, flee, die, or work your entire life for the proffit of someone else...
It's much easier to compromise additional servers once you are on the inside of the system and can see what distribution, kernel, etc... is being run.
Well, that applies regardless of having a single or multiple machines. With multiple machines there is at least still a physical barrier and the likelyhood that other machines will not be vulnerable in the same way due to running different services.
This is about raising the bar, if you aim for making it impossible, I suggest doing away with the network instead.
Generally, in my experience, any service failure is very serious.
I agree.
Networks don't exist in a vacuum, services depend on each other to work. If your ldap server goes down no one can log in anywhere on the network. If your dns server goes down everyone has to connect via IP address.
How good you can run secondaries of both, only makes sense when they are on a different piece of hardware however.
If your firewall goes down all of your online services, email, etc.. no longer work.
Firewalls with fallover support are available both from commercial vendors and as open source products. Again, more machines reduce, not increase the chance of catastrophic failure.
Mail servers are even easier since the way they interact with the DNS system allows for rather decent backup services.
I've had a decade or so of experience running my network, which is relatively large and I still have that opinion. The network I adminstrate has never been hacked by an intruder, the only time we have been compromised is when some of our users infected their workstation with an email virus and that has only happened twice.
Well, I'd say you have partially been lucky. Just 2 such virus incidents in some decade is quite a decent score really (talking about 'luck' here because there is only so much you can do about laptops coming from the outside and being infected. You can do a bit against them infecting the rest of the network of course)
Don't get me wrong, there are still circumstances where a dedicated machine is best. I fully believe in dedicated firewall machines and of course distributed webservers and DNS servers are a necessity if you want to keep a site up continually. I just don't ascribe to the philosophy of distributing out components across multiple servers more than required for reliability or performance issues and even then I prefer redundancy to separation.
What I found is that I need the facilities to maintain multiple machines anyway, for exactly the reasons you mention. So my first target has been to make it easy to maintain multiple machines.
When implementing that properly, I found it really does not cause much more work to have yet another machine to maintain, so I often default to using a new machine for a new feature/service.
I do agree that it does not always make sense, and that it will save work to combine things at times (like I do on the server that runs my weblog for example).
I think the GP meant that it's a lot easier to do it on Linux boxen...
Well, you do get away with it more often then on Windows, definitely.
On my little Celery 400 with 128MB of RAM running FreeBSD 4.9, I have MySQL, Apache, PHP, dhcpd all running with little overhead.
Yeah, and I have a nice Celeron 1800 running those same apps, tho on FreeBSD 5.4. I do quite a bit of hosting for web based apps on it (its part of what I make my money with)
If I want any performance whatsoever from MySQL (and I have some apps that make rather heavy use of it) I end up with a configuration where MySQL takes some 280M memory or more. Apache (thanks to caching of content and compiled PHP code) has no trouble growing to around 100M. I think both are already in the same league as IIS and MSSQL there.
Now, combine that with an smtp server with spam and virus filtering, and the 1GB memory it has is pretty much used. CPU load is virtually 0 however.
So.. I am quite aware that you can do this, and make it work, even make it work well, and make it work quite a bit better then similar functionality running on Windows.
You can also shove hot pokers under your fingernails, it's not recommended.
I am aware of that, all I was saying that it is not recomended regardless of the platform. It depends a bit on the services you want to combine however.
Seriously though, each of those services you mentioned will sometimes hold a processor hostage, it's not really able to handle any load like that.
You will see a very similar thing when running things like Domino, Oracle or Versant on Linux. Applications/services being so bloated that they consume whatever resources they can get.
Linux is somewhat better at handling such situations, definitely, but it is still not something you want unless those services are rather lightweight (and even then there are other considerations like security)
Maybe, but there are disadvantages. If you run everything on one machine you have a single point of failure. The more machines you have the more failure points, the more complexity, more nodes available to attack and more maintenance. As a Sys Admin I'm in favor of running as many things as possible on one box for all of the above reasons. If I can't resonably protect a single machine how can I be expected to reasonably protect six, or ten, or a hundred?
You have services running, and I can guarantee you that at an given time, there will be some service with a potential weakness that can be exploited.
In the single server setup that means that you cannot protect any of your services fully because your server will always be as week as the weakest service running on it.
When distributing functions over servers, the compromise will be limited to the one server running a vulnerable service.
Also, when you have seperate machines for different functions, failure will be far less catastrophic because it means only one service is affected.
It does cause a little bit more work overall, but it significantly reduces the amount of work needed to deal with things going wrong.
I have heard many people following your reasoning, probably because it makes sense at first glance. I have seen very few keeping to this opinion AND being seriously interested in securing their network, after having had a decade or so experience with it.
MS' own recommended strategy for servers is one box for each function. AD tree that's a box. An IIS server? That's a box. A SQL server? Yet another box.
Hmm, they recommend that, but I'd like to mention 2 things here:
1. This has been a recommended strategy for building servers, one that MS finally adapted itself (tho possibly for the wrong reasons).
It is a very good idea because it ensures physical seperation between the different services and greatly reduces the potential of compromise of one service spreading to other services.
2. You can have IIS, AD and MSSQL on one machine. It is not recommended, but it is quite possible.
But an ActiveX application served to your browser from the site could fetch your MAC address or some other unique identification and report it back.
Indeed it could (which is a bad thing actually, but that is another story)
So.. which MAC address is it going to pick of the 4 network cards in my machine? (and yeah, this is a desktop, it just happens to have a wireless card and 3 ethernet cards, and it uses a different one depending on the situation)
Of course this ignores the fact that activex applets won't run on my machien to begin with.
The point being that MAC addresses are a very bad way to indentify a machine, even when you can obtain it, something which SUN, SGI and many others found out in the past already.
To stay on topic, with regards to preventing phishing:
1. You need to indentify the user, not the machine. Using the machine as part of this just makes it more attractive for people to take over your typical desktop machine with worms and what not.
2. The idea with regards to stopping phishing is to indentify the server you are talking to, not for the server to indentify the workstation (which is a bad idea anyway usually, see point 1)
When we go this way anyway (requiring a platform specific bit of software before you can use electronic banking) banks would do better to go back to using specialized applications, and just use IP for communications. Using a webbrowser did have its reasons, and part of it (according to the explicit statements of both my private and business banks) is to make it easy to support other platforms.
Well, I was concerned about MitM attacks, but the other person replying to my post says that's not an issue. I'm not sure I understand why, though.
I'm not sure that other person is right. The smartcard setup makes information gathered from a MitM attack usefull for a very short time only. I don't see how it prevents them alltogether.
Slashdot Mirror
I'm still looking for the head and tail of your post..
All you have to do for that is document prior art in a way that is goign to be accepted by the courts and can be found by the USPTO (ok.. th elater is a bit more difficult).
You do not need a patent for that, you do need it to either enforce your exclusive rights or to use against someone sueing you over other patents.
However, I'm really more concerned with the moral issue here. The guy agreed to a certain condition of employmnet. MS honored it part of the bargain, so why the hell shoudn't he stick to his?
If you are concerned about the moral issues, I'd suggest you tsart worrying about companies using such clauses, and not so much about those who agree to them knowing they are not enforcable.
You said:
Yes, but keep in mind that(Water/sand/CO2) is only effective against a current blazing fire. If your purpose is prevention/minimization of risk, the US Forestry Service still uses controlled burns in densely forest areas with a high potential of fire, to minimize the amount of fuel a blaze would have in the event of a wildfire.
In the post you replied to I said:
restrict and thereby hopefully control a fire with fire
I would think I had kept that use of fire in mind...
A bit off-topic but...
Why not fight fire with fire?
Because water, sand, co2 and such do a much better job at it usually?
Even when using fire, you don't fight fire with fire, you restrict and thereby hopefully control a fire with fire, and then you hope you can fight it afterwards.
I also agree to work 8 hours a day (or more). Does that infringe upon my freedoms?
You may find that in many places the law has something to say about this 'more' part.
I agree to write code in VB and not in C++, they way I want to? Does that infringe upon my freedom too?
If you would be bound by contract to only write VB, cannot even touch C++ in your spare time etc? yes. You may find that courts would hold such a condition unenforcable also.
I agree to work in Redmond, and not downtown Seattle? Is that an infringement on my freedom?
If your Redmond employer is going to tell you where you can live as a result, yes.
You can try to find all kinds of silly examples where your freedom is somewhat limited due to your own choices. That is not the same as signing away a right. The first will usually be considered valid (but not if you can later show that the other side of the agreement did in fact force you to sign it by whatever means), the later will usually be considered unenforcable.
A contract can say everything that parties agree upon, but you will find that any unlawfull things you agree upon will generally not be upheld y any court, regardless of how willingly you agreed to it.
I think some actual slaves would argue with your definition of slavey. Slavery invovles force. Actual, physical force.
Slavery involves force, but that can be in many forms, not just physical. You may want to go look into the concept called economic enslavement for example.
I sure do hate that I have to eat to live the way I want. I don't go into the garden of my neighbor and go, "If you don't give me that food right now then you are enslaving me!".
Don't be ridiculous,
It is not about being able to do what you want at any given time, this is about being able to try making a living with your aboilities and your skills. Something which at quite a few places is supposedly guaranteed both due to it being considered a basic human right by many, and in the case of the USA the opposite often results in illegal restriction of trade.
that would make it much easier to conced that voluntary agreeing to something (in return for something else, mind you) infringes upon my freedom.
Because you sign away your right to work in your chosen profession for a while? That limits your freedom during that time.
Yet, in this instance, nobody's freedoms are infringed upon.
In the case of non compete clauses, the freedom of the employee is infringed upon (even when the employee agrees to it)
Why shouldn't I be able to enter such an agreement with them?
Why should you not be able to use heroin or coke or such?
Why are in at least some states people not allowed to prostitute themselves?
At times a government feels it has to protect its citizens against themselves.
Also, your freedom is limited by the freedoms of others,
We're not talking a line employee living paycheck-to-paycheck who isn't allowed to work in another factory. We're talking about soemone (lets guess) paid a few hundred grand a year who signed into an agreement knowing very-well the clauses in it. I'm not saying we should base labour laws on the money one makes, but what I am saying is that he's not a victim _FORCED_ to take a job with poor M$ because his kids are starving. He read the contract and signed it, agreeing to its contents.
Putting limits to non-compete clauses is a matter of principe, what kind of job this person held is of no relevance to what is reasonable.
Then google picks him up- he's clearly in high demand and tried to pull a fast one and scoop up an opportunity.
Yes, that is what doing business is about..
There is no loss of human capital but just a shift in it from place to place. And yes, I am looking at it from an employers view (as that's what I am actually in the real world).
For some time now I am running my own business, so I do look at this with experience on both sides of the issue.
There is a loss of human capital because you have people who are highly skilled in something and you cannot have them put that skill to use for an amount of time, which also reduces their level of skill.
From the macro view, the company is also a contributor to the macroeconomic pool. We're talking about a temporary leave, not a mass removal of employees. We're saying "go take a vacation and forget about all those secrets you know...
Especially in the high-tech industries, not working in your area of specialisation for a prolonued time (more then some 6-8 weeks) reduces your skill level.
then go buy yourself a bouncing car and best of luck to you". Sure we could pay for that time, but it would probably come from your weekly salary or reduce the benefits to others.
Peotection of secrets has a price. It is the company wanting to protect them, so they should pay the price.
To me, it's not about what's desirable, it's about what's right.
Not that I know you, but who are you to say what is right? Right and wrong are often a matter of belief.
I believe it is more right to protect society as a whole from loss of productivity, income and knowledge then to protect a company from possible loss of competitiveness, even more so if the company has other means for preventing this.
As I pointed out I don't think all non-compete clauses are unreasonable, but I do believe that in order for them to be reasonable they need to provide compensation for 2 things:
1. Obvious: loss of income
2. Less obvious: loss of recent working experience (which can be a significant disadvantage for finding new employment)
You're comparing a non-competition clause preventing you from working for a direct competitor (hence in the same industry) to slavery? You have got to be kidding me?
Read again. I compared being forced to accept UNREASONABLE conditions in order to be able to get a job to slavery. Not every non compete clause is unreasonable, quite a few are however. I was not in any way comparing the clause itself with slavery.
In his position, he is privy to knowledge of the operations and the products that will be released within the next few months- the idea is that he can't spread that knowledge as easily. He's probably under an NDA, but it prevents slip-ups and conflicts of interest.
So put him on payed leave for 3-6 months.
Plus we're talking about an exec ( a VP in fact ), who is probably making some damn fine money in compensation for 6 months of not working for a direct competitor. That's not a bad deal.
Nope, and I'm not sre if it is such a big issue in this specific case.
There are employers who do NOT have these requirements. If you are against them, simply only apply to those employers. It is the companies protecting themselves from employees who run off and start competing with themselves.
I understand perfectly well why they are there, but I give priority to what is good for the large majority of people over what is good for a tiny fraction of them. If companies wan't to prevent peopel from leaving, they better make sure they offer the best conditions possibel to their employees instead of using clauses that are generally bad for the employees.
A job is not just something you do all day to make money- for many it's genuinely something that we enjoy, a social landscape, a position in life, and more.
No need to tell me, I have worked for the last 2 decades, of which 11 years was spent at IBM. I kow all about the 'scoial landscape' and such it provides for.
Those who know economics: it's "a barrier to entry and exit" to discourage you from leaving or joining other companies quickly while the information you have is still current and can be used against the company in question.
THe micro conomical side of this is extremely obvious. I do believe you should consider that there are more important things then the micro economics of a single company, and that in the end the macro economics are more important. From a macro economic point of view non-compete clauses are a pure loss of experience and human capital.
And let's not get overdramatic. A non-compete clause is not signing yourself over to slavery. It's a pretty reasonable thing to do for an employer.
Quite a few of them are pretty unreasonable to an employee, and being forced to accept unreasonable conditions in order to be able to provide for yourself is a lot closer to slavery then you seem to be willing to consider.
Don't get me wrong, there are imho reasonable anti compete clauses, and I had one with my previous employer that I agreed to and kept to (eventho the clause would not be enforcable where I live) because it was reasonable. Most of the contracts with such clauses that I have seen are not very reasonable however (but often not enforcable)
Bottonline, what is more desirable, something reasonable for a tiny small group, and unreasonable to a very large group or its opposite..
But then, who really knows, since we're all playing armchair attorneys, anyway!
Hehehe
In other words, (and I'm not a coder), but it can be possible for this guy Lee to naturally introduce some concepts from his work with Microsoft while at Google, especially becasue he'll be working in the same capacity.
Ah yes, working experience gets you experience and knowledge.
They hire people who have those on purpose, and should stop whining about the fact that people will take that with them when leaving.
They're generally considered legally binding.
I think that really depends on where you live, I assume they are legally binding in the USA?
They are not in many cases in much of Europe for example.
Why? You say "we're willing to hire you but under this condition" (similar to NDAs and other conditions that you are given these days). You as an employee have a choice- choose whether you want to be bound by this agreement. Nobody is forcing you to accept this position- nobody is forcing you to agree to these terms.
You have a choice beteen not getting a job, or accepting a bad condition. That is in fact forcing people to accept the bad condition.
It is a basic human right to use your skills and abilities to provide for your income. Barring someone from his profession for say a year means breaking that basic human right, and it means in many cases a strong devaluation of the skills and experience of such a person.
This is a condition that can only exist due to the power that employers have,
The 'nobody is forcing you' argument is silly, nobody was forcing anyone into slavery either following the same logic. People had a choice, flee, die, or work your entire life for the proffit of someone else...
It's much easier to compromise additional servers once you are on the inside of the system and can see what distribution, kernel, etc... is being run.
Well, that applies regardless of having a single or multiple machines. With multiple machines there is at least still a physical barrier and the likelyhood that other machines will not be vulnerable in the same way due to running different services.
This is about raising the bar, if you aim for making it impossible, I suggest doing away with the network instead.
Generally, in my experience, any service failure is very serious.
I agree.
Networks don't exist in a vacuum, services depend on each other to work. If your ldap server goes down no one can log in anywhere on the network. If your dns server goes down everyone has to connect via IP address.
How good you can run secondaries of both, only makes sense when they are on a different piece of hardware however.
If your firewall goes down all of your online services, email, etc.. no longer work.
Firewalls with fallover support are available both from commercial vendors and as open source products. Again, more machines reduce, not increase the chance of catastrophic failure.
Mail servers are even easier since the way they interact with the DNS system allows for rather decent backup services.
I've had a decade or so of experience running my network, which is relatively large and I still have that opinion. The network I adminstrate has never been hacked by an intruder, the only time we have been compromised is when some of our users infected their workstation with an email virus and that has only happened twice.
Well, I'd say you have partially been lucky. Just 2 such virus incidents in some decade is quite a decent score really (talking about 'luck' here because there is only so much you can do about laptops coming from the outside and being infected. You can do a bit against them infecting the rest of the network of course)
Don't get me wrong, there are still circumstances where a dedicated machine is best. I fully believe in dedicated firewall machines and of course distributed webservers and DNS servers are a necessity if you want to keep a site up continually. I just don't ascribe to the philosophy of distributing out components across multiple servers more than required for reliability or performance issues and even then I prefer redundancy to separation.
What I found is that I need the facilities to maintain multiple machines anyway, for exactly the reasons you mention. So my first target has been to make it easy to maintain multiple machines.
When implementing that properly, I found it really does not cause much more work to have yet another machine to maintain, so I often default to using a new machine for a new feature/service.
I do agree that it does not always make sense, and that it will save work to combine things at times (like I do on the server that runs my weblog for example).
I think the GP meant that it's a lot easier to do it on Linux boxen...
Well, you do get away with it more often then on Windows, definitely.
On my little Celery 400 with 128MB of RAM running FreeBSD 4.9, I have MySQL, Apache, PHP, dhcpd all running with little overhead.
Yeah, and I have a nice Celeron 1800 running those same apps, tho on FreeBSD 5.4. I do quite a bit of hosting for web based apps on it (its part of what I make my money with)
If I want any performance whatsoever from MySQL (and I have some apps that make rather heavy use of it) I end up with a configuration where MySQL takes some 280M memory or more. Apache (thanks to caching of content and compiled PHP code) has no trouble growing to around 100M. I think both are already in the same league as IIS and MSSQL there.
Now, combine that with an smtp server with spam and virus filtering, and the 1GB memory it has is pretty much used. CPU load is virtually 0 however.
So.. I am quite aware that you can do this, and make it work, even make it work well, and make it work quite a bit better then similar functionality running on Windows.
Is it recommended? NO.
Can it become a serious problem? Definitely.
You can also shove hot pokers under your fingernails, it's not recommended.
I am aware of that, all I was saying that it is not recomended regardless of the platform. It depends a bit on the services you want to combine however.
Seriously though, each of those services you mentioned will sometimes hold a processor hostage, it's not really able to handle any load like that.
You will see a very similar thing when running things like Domino, Oracle or Versant on Linux. Applications/services being so bloated that they consume whatever resources they can get.
Linux is somewhat better at handling such situations, definitely, but it is still not something you want unless those services are rather lightweight (and even then there are other considerations like security)
Maybe, but there are disadvantages. If you run everything on one machine you have a single point of failure. The more machines you have the more failure points, the more complexity, more nodes available to attack and more maintenance. As a Sys Admin I'm in favor of running as many things as possible on one box for all of the above reasons. If I can't resonably protect a single machine how can I be expected to reasonably protect six, or ten, or a hundred?
You have services running, and I can guarantee you that at an given time, there will be some service with a potential weakness that can be exploited.
In the single server setup that means that you cannot protect any of your services fully because your server will always be as week as the weakest service running on it.
When distributing functions over servers, the compromise will be limited to the one server running a vulnerable service.
Also, when you have seperate machines for different functions, failure will be far less catastrophic because it means only one service is affected.
It does cause a little bit more work overall, but it significantly reduces the amount of work needed to deal with things going wrong.
I have heard many people following your reasoning, probably because it makes sense at first glance. I have seen very few keeping to this opinion AND being seriously interested in securing their network, after having had a decade or so experience with it.
MS' own recommended strategy for servers is one box for each function. AD tree that's a box. An IIS server? That's a box. A SQL server? Yet another box.
Hmm, they recommend that, but I'd like to mention 2 things here:
1. This has been a recommended strategy for building servers, one that MS finally adapted itself (tho possibly for the wrong reasons).
It is a very good idea because it ensures physical seperation between the different services and greatly reduces the potential of compromise of one service spreading to other services.
2. You can have IIS, AD and MSSQL on one machine. It is not recommended, but it is quite possible.
But an ActiveX application served to your browser from the site could fetch your MAC address or some other unique identification and report it back.
Indeed it could (which is a bad thing actually, but that is another story)
So.. which MAC address is it going to pick of the 4 network cards in my machine? (and yeah, this is a desktop, it just happens to have a wireless card and 3 ethernet cards, and it uses a different one depending on the situation)
Of course this ignores the fact that activex applets won't run on my machien to begin with.
The point being that MAC addresses are a very bad way to indentify a machine, even when you can obtain it, something which SUN, SGI and many others found out in the past already.
To stay on topic, with regards to preventing phishing:
1. You need to indentify the user, not the machine. Using the machine as part of this just makes it more attractive for people to take over your typical desktop machine with worms and what not.
2. The idea with regards to stopping phishing is to indentify the server you are talking to, not for the server to indentify the workstation (which is a bad idea anyway usually, see point 1)
When we go this way anyway (requiring a platform specific bit of software before you can use electronic banking) banks would do better to go back to using specialized applications, and just use IP for communications. Using a webbrowser did have its reasons, and part of it (according to the explicit statements of both my private and business banks) is to make it easy to support other platforms.
Well, I was concerned about MitM attacks, but the other person replying to my post says that's not an issue. I'm not sure I understand why, though.
I'm not sure that other person is right. The smartcard setup makes information gathered from a MitM attack usefull for a very short time only. I don't see how it prevents them alltogether.