If they give Solaris away for free, provide a superior desktop/workstation for free, pay other vendors to supply drivers, and support platforms such as x86, how in the world would sun make money???
As you said yourself, Sun is a corporation. This means their ultimate goal is to make money, not give everything away for free. They will need to make money with it somehow, and I can't see Sun ever going into a roll like Redhat is.
An IDS (Intrusion Detection System) is not meant for inline functionality and dropping packets. It is merely meant to detect attacks and log them by seeig copies of all packets such as using a mirror port of a switch. Some IDS applications (such as SNORT) also support plugins which can dynamically install firewall rules in a separate firewall (such as CISCO ACL's, iptables, etc) when an attack is detected.
An IPS (Intrusion Prevention System) is an IDS system built to be placed inline with the capabilities of blocking attacks itself. SNORT also has some IPS (inline) functionality.
Unless you install a firewall which contains application intelligence (such as Checkpoint), the firewall will not detect attacks such as zombies. The parent is right in stating that an IDS or IPS is best used for this functionality.
I have always been fond of the dual licensing idea, however I am confused on one bit: One of the key advantages to open sourcing something, is utilizing the additional developers out there that can contribute to your project.
I would suppose that when a non-employee developer makes a change to the open source version of the software and submits it back for check-in, it is not possible to dual license this change without their explicit permission. Is this the case, or is there some other loop hole there that allows those changes to be licensed privately by the company?
If such changes are not allowed to be privately licensed, then it takes away most of the advantages of open sourcing the software in the first place, in my opinion.
Not only is it a ton of #ifdef's throughout the code, it also forces the requirement of anyone changing code in that area to not only test their changes how they would today, but now they would also have to test with the real time code enabled. This includes any drivers using any type of locking.
It might also raise the risk of getting your leg amputated when you were supposed to be getting your tonsils out, because after all, software can be buggy! I'd perfer the doctor be looking at the peice of paper attached to me/my bed, rather then having the computer do some look-up, have a hiccup, and next thing ya know, there goes my leg.
-DJBS
I think there might be some confusion as to how these spambots work. I don't have a lot of experience with them, however the ones I've encountered have actually used my ISP's SMTP server.
I believe the reason for this is because my ISP's SMTP server will relay any message it receives from me due to the fact that I am assigned an IP address from that ISP. If the spambot didn't have access to my ISP's open-relay SMTP server, it would require access to some other open-relay SMTP server off of the net which are very hard if not impossible to find, or it would need to perform DNS look-ups to determine the mail server responsible for every domain it attempts to e-mail.
I don't think blocking port 25, except to your ISP's mail server, will solve anything.
You are assuming the government would be smart enough to create a hoax site and have the real one somewhere else. Whose government are you thinking of? Surely not the US government...
What makes you think that someone who would copy/paste code without firsting determining if it's the best possible implementation or not, would actually spend the time to come up with the best possible implementation without a code library? That kind of engineer won't do it regardless of whether they have a code library at their disposal or not.
I for one, have a code library that I share with other engineers. When we determine that what we have doesn't fit the best implementation possible of something, we modify the code library so that it does fit without changing existing APIs. This allows us to enhance our code library for future use, while rising the probability that we will have the best possible solution the next time around.
As to whether it's illegal or not, I think that depends on your employment situation. In my situation for example, my employer knows that I have this code library, and that a few other engineers I share it with all contribute to it. Our employer also knows that we have every intention on taking this library with us when we leave. We do have this in writing, of course. You are probably wondering why the employer would agree to something like this? The advantage for the employer is that by allowing us to use the code library we brought with us -- which we wouldn't use unless the above agreement was made -- we are able to finish projects much quicker. Not only are we able to finish them much quicker, but the QA cycle of such projects are proven to be shorter. The reason is because the code in our library has already been proven time and time again in other projects. I don't know of an employer who doesn't want faster project deadlines, and shorter QA cycles while also gaining quality and flexability.
-DJBS
Wow, really? I work for a company in the high end firewall/vpn market, and all I hear from new customers is how bad their ex-Cisco PIX firewall did. Maybe it's because I'm on the higher end, but the complaints ranged from poor management capabilities and low throughput/conns a second limits to how small of a DoS attack could bring it down. This is all second hand knowledge, as I've never used a PIX personally.
The company I work for first built a stateful iptables based firewall with TCP/UDP session offload, allowing for line rate speeds of 2 Gb/s bi-directional throughput (1.6 GB/s @ 64 byte packets). Our goal was to use as much open source as possible, as well as supply as much back to the community as possible. However, the higher end market isn't/wasn't accepting the iptables firewall, so we are now also a Check Point platform that kicks butt. The nice thing about this platform, is we aren't limited to just accelerating a firewall/vpn application, but IDS too (i.e. SNORT) at 2 Gb/s line rate. Ok, now I find myself starting to brag, so I'll go away now...
Some machines might be good enough to compete with Check Point running on a typical PC or low end appliance, but the throughput and performance of Check Point completely depends on the platform you choose to run it on, and there are many options out there other then just standard PC hardware. An example would be the Nokia platforms or, for really high end, the Bivio platform which does 80% line rate of even 64 byte packets. I'd like to see a PC (Sun or other) pull this one off.
Slashdot Mirror
If they give Solaris away for free, provide a superior desktop/workstation for free, pay other vendors to supply drivers, and support platforms such as x86, how in the world would sun make money???
As you said yourself, Sun is a corporation. This means their ultimate goal is to make money, not give everything away for free. They will need to make money with it somehow, and I can't see Sun ever going into a roll like Redhat is.
-DJBS
An IDS (Intrusion Detection System) is not meant for inline functionality and dropping packets. It is merely meant to detect attacks and log them by seeig copies of all packets such as using a mirror port of a switch. Some IDS applications (such as SNORT) also support plugins which can dynamically install firewall rules in a separate firewall (such as CISCO ACL's, iptables, etc) when an attack is detected.
An IPS (Intrusion Prevention System) is an IDS system built to be placed inline with the capabilities of blocking attacks itself. SNORT also has some IPS (inline) functionality.
Unless you install a firewall which contains application intelligence (such as Checkpoint), the firewall will not detect attacks such as zombies. The parent is right in stating that an IDS or IPS is best used for this functionality.
-DJBS
Geez. You know it's scary when you read this, and think to yourself 'Only eight?'
-DJBS
I have always been fond of the dual licensing idea, however I am confused on one bit: One of the key advantages to open sourcing something, is utilizing the additional developers out there that can contribute to your project.
I would suppose that when a non-employee developer makes a change to the open source version of the software and submits it back for check-in, it is not possible to dual license this change without their explicit permission. Is this the case, or is there some other loop hole there that allows those changes to be licensed privately by the company?
If such changes are not allowed to be privately licensed, then it takes away most of the advantages of open sourcing the software in the first place, in my opinion.
-DJBS
Why, exactly, are you bothering to read an article and/or comments about a PVR if you don't think anything warrents recording?
And what exactly is insightful about that? Geez...
-DJBS
Not only is it a ton of #ifdef's throughout the code, it also forces the requirement of anyone changing code in that area to not only test their changes how they would today, but now they would also have to test with the real time code enabled. This includes any drivers using any type of locking.
-DJBS
It might also raise the risk of getting your leg amputated when you were supposed to be getting your tonsils out, because after all, software can be buggy! I'd perfer the doctor be looking at the peice of paper attached to me/my bed, rather then having the computer do some look-up, have a hiccup, and next thing ya know, there goes my leg. -DJBS
I think there might be some confusion as to how these spambots work. I don't have a lot of experience with them, however the ones I've encountered have actually used my ISP's SMTP server.
I believe the reason for this is because my ISP's SMTP server will relay any message it receives from me due to the fact that I am assigned an IP address from that ISP. If the spambot didn't have access to my ISP's open-relay SMTP server, it would require access to some other open-relay SMTP server off of the net which are very hard if not impossible to find, or it would need to perform DNS look-ups to determine the mail server responsible for every domain it attempts to e-mail.
I don't think blocking port 25, except to your ISP's mail server, will solve anything.
-DJBSYou are assuming the government would be smart enough to create a hoax site and have the real one somewhere else. Whose government are you thinking of? Surely not the US government...
So your saying my computer has 9 lives???
What makes you think that someone who would copy/paste code without firsting determining if it's the best possible implementation or not, would actually spend the time to come up with the best possible implementation without a code library? That kind of engineer won't do it regardless of whether they have a code library at their disposal or not. I for one, have a code library that I share with other engineers. When we determine that what we have doesn't fit the best implementation possible of something, we modify the code library so that it does fit without changing existing APIs. This allows us to enhance our code library for future use, while rising the probability that we will have the best possible solution the next time around. As to whether it's illegal or not, I think that depends on your employment situation. In my situation for example, my employer knows that I have this code library, and that a few other engineers I share it with all contribute to it. Our employer also knows that we have every intention on taking this library with us when we leave. We do have this in writing, of course. You are probably wondering why the employer would agree to something like this? The advantage for the employer is that by allowing us to use the code library we brought with us -- which we wouldn't use unless the above agreement was made -- we are able to finish projects much quicker. Not only are we able to finish them much quicker, but the QA cycle of such projects are proven to be shorter. The reason is because the code in our library has already been proven time and time again in other projects. I don't know of an employer who doesn't want faster project deadlines, and shorter QA cycles while also gaining quality and flexability. -DJBS
Wow, really? I work for a company in the high end firewall/vpn market, and all I hear from new customers is how bad their ex-Cisco PIX firewall did. Maybe it's because I'm on the higher end, but the complaints ranged from poor management capabilities and low throughput/conns a second limits to how small of a DoS attack could bring it down. This is all second hand knowledge, as I've never used a PIX personally.
The company I work for first built a stateful iptables based firewall with TCP/UDP session offload, allowing for line rate speeds of 2 Gb/s bi-directional throughput (1.6 GB/s @ 64 byte packets). Our goal was to use as much open source as possible, as well as supply as much back to the community as possible. However, the higher end market isn't/wasn't accepting the iptables firewall, so we are now also a Check Point platform that kicks butt. The nice thing about this platform, is we aren't limited to just accelerating a firewall/vpn application, but IDS too (i.e. SNORT) at 2 Gb/s line rate. Ok, now I find myself starting to brag, so I'll go away now...
Some machines might be good enough to compete with Check Point running on a typical PC or low end appliance, but the throughput and performance of Check Point completely depends on the platform you choose to run it on, and there are many options out there other then just standard PC hardware. An example would be the Nokia platforms or, for really high end, the Bivio platform which does 80% line rate of even 64 byte packets. I'd like to see a PC (Sun or other) pull this one off.