I don't see C/C++ as being the problem. It is more that the security hurdles in Windows makes it impossible to run efficiently in anything but a privilaged account. This allows malware of all sorts to take advantage of vectors not found on other Operating Systems. Opening an email could infect your system if done in a privilaged account. Reading a web page could infect your system if done in a privilaged account. Browsing the local network resources can infect your system... So on and so on.
You'd have to be a zelot fanboy to recognize that any Operating System is a complex software system. Complex software systems are prone to bugs and as pointed out every one of them receive regular updates to patch problems. The problem with Windows is not the bugs but the way they handle them which makes the entire process of correcting flaws painful. Today I've been chasing people to reboot after installing the patches (thankfully I can force the patch install remotely) their system because I know 90% of them won't reboot their machines. I tried once before to reboot in the early mornings but I got an earful from multiple people who didn't save and left things open.
Windows is not only hard to patch in the enterprise, its hard enough to work with that people won't close applicatons! Talk about a double whammy.
- Allocate the manpower to do the upgrade/migration? Going from Win2000 to Win2k3 doesn't happen nearly "automagically enough". In fact I'm not brave enough to try an upgrade on company hardware blind. There is a lot of iffiness involved especially if you depend on software components installed on the same machine because simply put Win2K3 behaves a heck of a lot differently. If that machine does anything else but serving MS software then be prepared for some serious clean up aftwards.
- Does the company have the money? You said yourself "For the price of the server OS..." If their IT budget is stretched then it doesn't matter how spiftacular Win2K3 happens to be, it will be hard to justify spending more money on a system that is still working.
From my personal experience, the best route for upgrading servers is to buy a new machine and phase out the old machine migrating the domain/directory information(*). The trick is of course, how many small buisness have the cash to really do this right? It has always been my recommendation for small companies with stable Win2K servers, especially one doing domain controling, to keep them till they look like they are going to fail because they simply don't have the time or money to the solid upgrades. When your email and domain and gigs of hard drive files are on one machine a small company simply can't afford to have an "oops!" moment during upgrading.
(*) There is infact more steps here. I would have them buy the replacement machine and software, do an isolated install and bring up all of the hardware and software on the machine to make sure the components work, and do some integration tests with other workstations. So on and so forth.
The reason why the government and NASA have to be involved is because as far as anyone can see there is no profit in space. None. I've posted on this sort of crazy idea that the cures to space travel is privitatazation.
All of the merials on the Moon or Mars can be harvested here. If the Moon was made of precious material I'd have no doubt that any number of the aerospace companies would be pushing cargo and passenger vehicles to faciliate exploitation of the raw materials. However, the Moon maybe an exotic location but for the most part made of unremarkable stuff. You can get there, pour a foundation, and then...what?
I'm not against any private company going into space but I'm also a realist: there is no profit in space so therefore governments need to lead the way for now. If the Far East wasn't full of goods Europeans wanted there would have been no reason to sail westwards and find this place. Until we find the our "northwest passage of space" there is no reason for any private company on Earth to go to space.
People always suggest "they should privatize space!" but these same people fail to realize a fundemental problem: space is not profitable.
There is very little out there to capitalize on (you know...the root of capitalism?). I don't think people realize how hard it is to travel out there (in terms of size, durability, and other huge problems). What does a company do with space exploration? If the rings of Saturn were made of gold nuggets we would be there. If there where diamons the size of boulders on Mars we'd be there. Unfortunately by all measurements these places are remarkable but not useful for any buisness on Earth.
I don't think you'll have MD, Boeing, Airbus or anyone else lining up to fund their own excursions into deep space because there is simply no money to make out there. Remember that Columbus had a plan to make money before going on his little trip. Expecting companies to explore space just because is unrealistic.
...but lousy for enterprise deployments. Using just Windows Update for your maintaince for more than a handful of machines and you'll be tearing your hair out. Simply put: Windows Update is not sufficient for enterprise level control and anyone who thinks so is quite bonkers. It isn't even close to what IT needs and you'd be lucky if your desktop users don't even screw up using it.
Windows installers are nightmares on the enterprise level. Too many dialogs that feature settings that should have been issued on a command line. Too many dialogs with non-installation information. (Hello?...EULA/README SHOULD BE HANDLED IN THE APPLICATION!!) These two create a situation where if you are going to install a piece of software on more than a handful of machines you really wish they had a silent install. More often than not you are stuck babysitting installs blindly clicking "Yes"s and "Okay"s and "Next"s. Yay for the TCO.
A "sin" Microsoft cultavated along time ago is confusing "installing" and "configuration" together. If you tie both of these process together it makes support murky. Did the installation fail to place files or did it mess up setting some value somewhere? Installers should be concerned with tracking/placing software components. Programs should be concerned with configuration. Because of MS including this level of complexity it also had the side effect of making it hard for a user to inspect packages before installing. There is no way for a desktop user to find out what a MSI package provides, what it requires, etc before installation. Another side effect is that people writting installers are often forced to package all depedancies with their application instead of making seemless stacking installs.
Making a Windows installer actually enforce component dependancies suffers from the same "DLL Hell" type problem that has plagued Windows forever. Most installations are written loosely: you can uninstall CompA which ProgramB depends upon and the system happily complies.
With all of that said, Windows installers are bad. Linux and other Unix-like systems are okay but they are more interested in software integraty than ease of use. You can't beat Mac: Drag a folder into the apps folder and its installed, take it out of the folder to uninstall it. At this point I can't imagine why anyone would any system to be more like Windows.
If you subscribe to the ideas laid out in "The Human Interface" the idea that people love to have a random information dumped onto them is not humane. People may want a ton of information but they don't want to spend time "ordering" it. Beyond this humans just can't handle giant lists disperate information well at all.
Consider your an audio ripping program. If a user were required to fully detail each file before they could listen to them in a player, one would spend all of their time typing information into each file instead of listening to the data. Filling out metadata seems to be a machine task not a user one. It is good to know what files where written by what artists. It is not good to force people to enter it. That would be tedious and prone to error: these are things machines actually excell at accomplishing so why make users do it?
Apple and Google have been putting tons of effort into making machines fill out the metadata instead of making users do it because it is really a task for the machine. If Gates expect users to fill out all of this stuff he is bonkers.
Keep in mind Ford doesn't have an agreement with each and every customer that says "If it blows up or are maimed by using our product, we are not responsible"...which Microsoft does.
Ford can't afford to ignore disasterous engineering failures. Microsoft can by writing it off with marketing. Lucky for us most durable goods don't come with shrink wrap licenses right?
The reality is that the shows that get fansubed are ones that fansubbers like to watch and not the general "viewing public". Most "fans" just download stuff for the sake of downloading something due to free time and unused bandwidth so just having a fansub and just having X people download doesn't indicate very much about a show which tells Japanese producers almost nothing about their shows. What does end up happening all too often is that movers in the industry will not care how many will download a show but are far more interested in board dicussions and the like. This is a far better indicator of the fan reaction to the show than the silent no-names that generate bandwidth.
This effect is a gold mine for those who are savy in the Anime industry. They get a ton of marketing response with much lower overhead and without the whole without tainting the response by announcing the companies interest. Watching Internet chatter on the show (not the downloads) gives you far better information than a billion of those "viewer cards" they stick in the Region 2 DVDs and the magazines. You can tell what the hits and duds are for any given season just by the the amounts of discussion on most boards where there are already forces behind the scenes taking careful notes.
As complex as some software is, especially the modern operating system and core tools, you often have to trade testing time for new features for stability.
The main gripe with Debian and the reason why Ubantu (sp?) was created was that Debian was taking too long. Stability didn't frankly matter as much as getting modern features inside of the system. Sure it is stable but other distros are encorporating tools and features that make Debian the most primative distro out there because of being stuck in a semi-frozen state for so long.
My company's software purchases have also shrunk to nill and I can't get people embrace more Open Source products. It doesn't have as much to do with alternatives but that there is simply no budget for it.
Simply put budgets on hardware and software are still tight and no one simply sees the reason on why to buy Win2k3 if our old servers on Win2K are still working just fine. We can't spend money on new machines. We can't spend money on new software. Most importantly we can't spend money on manpower to do the labor in upgrading.
Unless there is a catastrophic failure or free hardware, free software, and free manhours fall out of the sky I bet most small compnaies are like mine: they simply won't send any more money to Microsoft for the moment.
Arg, people are constantly overusing signatures and "signed code". Signed code just signifies that the contents of the package match what the packager packaged (ie. no tinkering). It does not by itself stop malware. A packager can unwittingly package malware or worse a packager can knowingly package malware, sign it and get people to run it.
I feel that measures like this need to be used carefully less you want to get into a situation Windows is currently in. So many tools and so many mechanisms that are convoluted and not exactly integrated with each other make for an unusable security system that users would rather defeat than enable.
I do easily admit that there are places where trusted implementations of Linux make sense. Off the top of my head "sealed" embedded Linux kernels would make great use of this mechanism. However most Linux desktops do not need another set of tools to lock down security. The kernel should offer the generic facilities but I'll be disappointed if it is forced enabled on all kernels.
To do an "nightly update" on a Fedora machine you do this:
% yum -y update
Works great, scales well (throttled by network bandwidth). I don't even have to be there to do it. A regular user can continue to use the machine happily. If it requires a reboot then that can be done much later unless flakiness arrises. The point is it doesn't interrupt my work nor the user's work.
To do a "nightly update" on Windows you have to:
- Go physically find the machine if you have no deployment tools or remote desktop. - Login if no one is there. If someone is there, remind them to click on the icon on the try to patch their machine ("Please, sooner than later"). The worst: boot someone off the machine who locked their desktop. Whatever they were working on is gone. - If you are lucky, the patch itself requires no real user interaction. If you are unluck, be prepared to get a lot of calls on the help line asking "Should I click 'I accept'? What is this?". - If you are lucky, you don't have to reboot. More often than not you have too. Not so bad for desktops although many will wait for their Lunch break to do it. So very bad for live servers because you have actually schedule time to do it. - If you are really lucky, nothing else goes wrong. People go back to work. Reading around it appears on some configurations that one of the patches makes the system unbootable. If you are slighly less luck it is just booting into the Admin console and fixing the problem. The alternative is well....unpleasant. I don't have time to monkey with an individual workstation since there are several more people having problems. Reformat/restore from the stock image if the simple fixes don't work.
I can't say I want any of the Linux machines to behave like how Microsoft does Windows update. Yum and apt-get are infinitely more pleasant to work with. The problem isn't with Window's Update though...it is with the fact that patching Windows sucks.
Why wait a month? Because their patching system blows. They didn't learn lessons learned decades ago about how to patch core components and kernel services and now we live with this every day (or month as the case maybe).
Patching a single Windows machine is difficult especially if you are a novice (many still don't understand why computers "just don't work"). Patching many Windows machines is hard. Patching a live server is hard. Considering how hard some of the patching is on some machines you might even want to consider waiting a few more days to the weekend to apply this patch to patch them especially since one of the patches fixes exploits that are mitigated by using firewalls. Reguardless Windows is so hard to patch you can't have the "on the fly" patching other platforms feature.
It is really lesser of two evils. You can either spend almost all of your time patching or you can lump the difficult time in one large shot. If MS dropped patches when ever they felt it was complete (which is good for security!) you finished updating the entire enterprise (this might take a weeks if not a month with serious stuff like SP 2) you'd have to start over and do it again for a brand new one. So on and so forth.
The real problem is "patching Windows is hard". The "fix" right now to this is pushing patches once a month. As long as Windows is hard to patch then there is no other real solution to this horrible situation MS sold us on.
What I read between the lines is that Larry McVoy is more than willing to provide some sort of facility to export data in a native format however for one reason or another this wasn't sufficient for what Tridge wanted so he went ahead and did it himself.
Maybe it was a matter of timelines (Tridge can provide the functionality faster than McVoy). Maybe Tridge has a neat idea on extending bk functionality with preexisting bk protocols. Maybe he wanted to do anyway for kicks. The point is that if done right reverse engineering is fine but McVoy freaked out.
As for the reason why Tridge has said very little is that he is probably been instructed by his lawyers to say very little on the matter. I can't blame him the way McVoy is freaking out...
Torvalds now has to deal with the mess which clearly would have been avoided if bk was Open Sourced to begin with. Tridge would have just tossed his improvements in with the rest to be merged. Now we have a mess where Torvalds doesn't have a way for exporting bk data and can't use bk now.
I wouldn't have any problems with cutting funding for tracking and communications for the Voyager probes if and only if that 4 million is put into something worthwhile. Oh say, just a wild idea...how about a Voyager 3??
But I have this sneaking suspicion that the money is just going to be cut along with other NASA expendatures just so we can pay down debt and sponsor more stuff going on in Iraq. Oh well...that stuff is important too but it is still a bitter pill.
There is already network hardware that will drop machines into a "sealed" network if they detect anything wrong. They will get a rude awakening when they suddenly can't surf to hotmail.com because they've been disconnected from the general network due to detection of bad traffic. But this stuff isn't exactly cheap.
In any event, this might be a great idea for small install bases but if you have administer a number of machines this is not feasible. Having to remotely monkey with machine is enough of a burden in Windows. Having to physically move from machine to machine is bonkers (especially when co-located).
And people wonder why I laugh at the Cost of Owernship of Windows being cheaper than other productions. All of these hoops you have to jump through to keep the thing running.
I don't see this as a human failure but more of an unrealistic expectation with limited resources. In short any project will encounter any number of problems along the way most of which were never dreamt of during the meeting room planning phase. The best planners try to learn from past experiences to plan for the semi-cyclic stuff but in the end there are too many variables that will interfere. From the mundane (a server blows up taking out internal development for a couple of days) to the rare (a developer is run over by a bus).
Who can ever plan for that? The best scheme I've seen is make a solid "best situation" plan, set key miletones to check "sanity" along the way, and then double it.
It is quite hefty but then this is what I expect from "Service Packs" especially in one giant chunk.
"Download time remaining: 22 minutes"
So now I'm chained to box since I suspect at some point I need to click something on some dialog to complete installation (this is an assumption but past history on other updates tells me I should watch the process to make sure it goes all the way through).
On the other hand I had to setup sever based off of FC3 yesterday and out of the box it required to download 450MBish of stuff broken into 150+ individual downloads. After installing the gpg keys, I started the update ('yum -y update') and walked away from it. Other systems have something that is just as easy and dare say fool proof.
I would really like MS to bite off things in smaller chunks. I do recognize the fact that every part of the 329MB download is probably necessary but why not roll out in both a large chunk and small chunks to accomidate different enterprise configurations? I like having options on rollout but I constantly find Windows rollouts very lacking.
Is English the ultimate 'pidigin' language? *shrug* It does seem to absorb everything.
English is built upon 30% French, 30% 'Latinate', 30% West German, and the rest is what was lying around the British Islands (Celtic, Galegic, etc.). All of these influences happened because Britan was invaded...a lot. It has touched many cultures and been everywhere. Grammar and spelling rules are more dictated by historical reasons than pheonetic. It is also heavily 'exported' all over the world due to world influence of Britian and now the US.
Is it bad that Instant Messenger programs and computers communciation in general is changing English? Not really. It just shows that English is very much a living language. Besides I consider it to be a transitive thing: people generate grammatic errors and chose different patters because of the keyboard input. Once technology evolves to something different for the primary Human-Machine interface then this will be less of an issue.
Computers are still tools. A tool that can help or hurt. As much as I have used a computer to create I've also found that it is easier to use one to waste a lot of time. This isn't necessarily bad...playing Half-Life 2 is a complete waste of time in the grand scheme of things but it is for my well being.
One thing I feel many parents are missing is the concept of balance. Parents are constantly pushing "work" and punishing "play" when what is really needed is to strike the balance between them. If parents don't do they kids go off to college and find out just how much "play" there is in the world and end up ignoring a lot of "work" and making a messy situation.
Doesn't OpenBSD still install 'ftpd' by default? Although it is not turned 'on', the fact is it is still on the file system ready for exploit and requires rigoriously patched unless you take steps to remove it. Doesn't this seem like a dubious definition?
I'm all for making special install kernels and distros "out of the box" to be as hardened as possible. I would love see many distros do a "paranoid" configuration. There are plenty of things OpenBSD does right but that does not excuse OpenBSD. Just like Linux and every other operating system out there, they can still strive to do better.
I don't know of all of the details but it seems just like how DVDs are supposted to be secure and encrypted all along the decoding chain. We all know how well that turned out. And ultimately we must think was it such a bad thing to have the encryption broken? It maybe purely coincidental but it looks to me like people were happier and more willing to buy DVD hardware in computers once this was broken and made openly available.
In general, security is about holding secrets in the right places. Putting secrets in the portable hardware is not the smartest thing to do. Isn't it is like taping the key to your front door on your front door? Help me understand why this is a good idea beyond vague marketing?
If it means no more dubious "magizines" like [i]Think Secret[/i] and their ilk then bust out the crystal and caviar!
Too many people fail to realize that this case was about people breaking NDAs and shielding them. [i]Think Secret[/i] isn't doing the world any favors. They are air Apple's clean laundry (as opposed to their dirty ones). I'm pretty sure that any other reputable journalistic publication would have scrapped any story that was based on the stealing of information like this.
Simply put, unless it had something to do with Apple using child slave labor or something equally henious against the public good, why does anyone involved think they can ignore Apple's carefully crafted NDA?
Slashdot Mirror
I don't see C/C++ as being the problem. It is more that the security hurdles in Windows makes it impossible to run efficiently in anything but a privilaged account. This allows malware of all sorts to take advantage of vectors not found on other Operating Systems. Opening an email could infect your system if done in a privilaged account. Reading a web page could infect your system if done in a privilaged account. Browsing the local network resources can infect your system... So on and so on.
You'd have to be a zelot fanboy to recognize that any Operating System is a complex software system. Complex software systems are prone to bugs and as pointed out every one of them receive regular updates to patch problems. The problem with Windows is not the bugs but the way they handle them which makes the entire process of correcting flaws painful. Today I've been chasing people to reboot after installing the patches (thankfully I can force the patch install remotely) their system because I know 90% of them won't reboot their machines. I tried once before to reboot in the early mornings but I got an earful from multiple people who didn't save and left things open.
Windows is not only hard to patch in the enterprise, its hard enough to work with that people won't close applicatons! Talk about a double whammy.
Is their company willing to:
- Allocate the manpower to do the upgrade/migration? Going from Win2000 to Win2k3 doesn't happen nearly "automagically enough". In fact I'm not brave enough to try an upgrade on company hardware blind. There is a lot of iffiness involved especially if you depend on software components installed on the same machine because simply put Win2K3 behaves a heck of a lot differently. If that machine does anything else but serving MS software then be prepared for some serious clean up aftwards.
- Does the company have the money? You said yourself "For the price of the server OS..." If their IT budget is stretched then it doesn't matter how spiftacular Win2K3 happens to be, it will be hard to justify spending more money on a system that is still working.
From my personal experience, the best route for upgrading servers is to buy a new machine and phase out the old machine migrating the domain/directory information(*). The trick is of course, how many small buisness have the cash to really do this right? It has always been my recommendation for small companies with stable Win2K servers, especially one doing domain controling, to keep them till they look like they are going to fail because they simply don't have the time or money to the solid upgrades. When your email and domain and gigs of hard drive files are on one machine a small company simply can't afford to have an "oops!" moment during upgrading.
(*) There is infact more steps here. I would have them buy the replacement machine and software, do an isolated install and bring up all of the hardware and software on the machine to make sure the components work, and do some integration tests with other workstations. So on and so forth.
The reason why the government and NASA have to be involved is because as far as anyone can see there is no profit in space. None. I've posted on this sort of crazy idea that the cures to space travel is privitatazation.
All of the merials on the Moon or Mars can be harvested here. If the Moon was made of precious material I'd have no doubt that any number of the aerospace companies would be pushing cargo and passenger vehicles to faciliate exploitation of the raw materials. However, the Moon maybe an exotic location but for the most part made of unremarkable stuff. You can get there, pour a foundation, and then...what?
I'm not against any private company going into space but I'm also a realist: there is no profit in space so therefore governments need to lead the way for now. If the Far East wasn't full of goods Europeans wanted there would have been no reason to sail westwards and find this place. Until we find the our "northwest passage of space" there is no reason for any private company on Earth to go to space.
So posting a:
503 Service Unavailable
The service is not available. Please try again later.
This your answer to the slashdot effect? A bold new concept!
People always suggest "they should privatize space!" but these same people fail to realize a fundemental problem: space is not profitable.
There is very little out there to capitalize on (you know...the root of capitalism?). I don't think people realize how hard it is to travel out there (in terms of size, durability, and other huge problems). What does a company do with space exploration? If the rings of Saturn were made of gold nuggets we would be there. If there where diamons the size of boulders on Mars we'd be there. Unfortunately by all measurements these places are remarkable but not useful for any buisness on Earth.
I don't think you'll have MD, Boeing, Airbus or anyone else lining up to fund their own excursions into deep space because there is simply no money to make out there. Remember that Columbus had a plan to make money before going on his little trip. Expecting companies to explore space just because is unrealistic.
...but lousy for enterprise deployments. Using just Windows Update for your maintaince for more than a handful of machines and you'll be tearing your hair out. Simply put: Windows Update is not sufficient for enterprise level control and anyone who thinks so is quite bonkers. It isn't even close to what IT needs and you'd be lucky if your desktop users don't even screw up using it.
Windows installers are nightmares on the enterprise level. Too many dialogs that feature settings that should have been issued on a command line. Too many dialogs with non-installation information. (Hello?...EULA/README SHOULD BE HANDLED IN THE APPLICATION!!) These two create a situation where if you are going to install a piece of software on more than a handful of machines you really wish they had a silent install. More often than not you are stuck babysitting installs blindly clicking "Yes"s and "Okay"s and "Next"s. Yay for the TCO.
A "sin" Microsoft cultavated along time ago is confusing "installing" and "configuration" together. If you tie both of these process together it makes support murky. Did the installation fail to place files or did it mess up setting some value somewhere? Installers should be concerned with tracking/placing software components. Programs should be concerned with configuration. Because of MS including this level of complexity it also had the side effect of making it hard for a user to inspect packages before installing. There is no way for a desktop user to find out what a MSI package provides, what it requires, etc before installation. Another side effect is that people writting installers are often forced to package all depedancies with their application instead of making seemless stacking installs.
Making a Windows installer actually enforce component dependancies suffers from the same "DLL Hell" type problem that has plagued Windows forever. Most installations are written loosely: you can uninstall CompA which ProgramB depends upon and the system happily complies.
With all of that said, Windows installers are bad. Linux and other Unix-like systems are okay but they are more interested in software integraty than ease of use. You can't beat Mac: Drag a folder into the apps folder and its installed, take it out of the folder to uninstall it. At this point I can't imagine why anyone would any system to be more like Windows.
If you subscribe to the ideas laid out in "The Human Interface" the idea that people love to have a random information dumped onto them is not humane. People may want a ton of information but they don't want to spend time "ordering" it. Beyond this humans just can't handle giant lists disperate information well at all.
Consider your an audio ripping program. If a user were required to fully detail each file before they could listen to them in a player, one would spend all of their time typing information into each file instead of listening to the data. Filling out metadata seems to be a machine task not a user one. It is good to know what files where written by what artists. It is not good to force people to enter it. That would be tedious and prone to error: these are things machines actually excell at accomplishing so why make users do it?
Apple and Google have been putting tons of effort into making machines fill out the metadata instead of making users do it because it is really a task for the machine. If Gates expect users to fill out all of this stuff he is bonkers.
Keep in mind Ford doesn't have an agreement with each and every customer that says "If it blows up or are maimed by using our product, we are not responsible"...which Microsoft does.
Ford can't afford to ignore disasterous engineering failures. Microsoft can by writing it off with marketing. Lucky for us most durable goods don't come with shrink wrap licenses right?
The reality is that the shows that get fansubed are ones that fansubbers like to watch and not the general "viewing public". Most "fans" just download stuff for the sake of downloading something due to free time and unused bandwidth so just having a fansub and just having X people download doesn't indicate very much about a show which tells Japanese producers almost nothing about their shows. What does end up happening all too often is that movers in the industry will not care how many will download a show but are far more interested in board dicussions and the like. This is a far better indicator of the fan reaction to the show than the silent no-names that generate bandwidth.
This effect is a gold mine for those who are savy in the Anime industry. They get a ton of marketing response with much lower overhead and without the whole without tainting the response by announcing the companies interest. Watching Internet chatter on the show (not the downloads) gives you far better information than a billion of those "viewer cards" they stick in the Region 2 DVDs and the magazines. You can tell what the hits and duds are for any given season just by the the amounts of discussion on most boards where there are already forces behind the scenes taking careful notes.
As complex as some software is, especially the modern operating system and core tools, you often have to trade testing time for new features for stability.
The main gripe with Debian and the reason why Ubantu (sp?) was created was that Debian was taking too long. Stability didn't frankly matter as much as getting modern features inside of the system. Sure it is stable but other distros are encorporating tools and features that make Debian the most primative distro out there because of being stuck in a semi-frozen state for so long.
My company's software purchases have also shrunk to nill and I can't get people embrace more Open Source products. It doesn't have as much to do with alternatives but that there is simply no budget for it.
Simply put budgets on hardware and software are still tight and no one simply sees the reason on why to buy Win2k3 if our old servers on Win2K are still working just fine. We can't spend money on new machines. We can't spend money on new software. Most importantly we can't spend money on manpower to do the labor in upgrading.
Unless there is a catastrophic failure or free hardware, free software, and free manhours fall out of the sky I bet most small compnaies are like mine: they simply won't send any more money to Microsoft for the moment.
Arg, people are constantly overusing signatures and "signed code". Signed code just signifies that the contents of the package match what the packager packaged (ie. no tinkering). It does not by itself stop malware. A packager can unwittingly package malware or worse a packager can knowingly package malware, sign it and get people to run it.
I feel that measures like this need to be used carefully less you want to get into a situation Windows is currently in. So many tools and so many mechanisms that are convoluted and not exactly integrated with each other make for an unusable security system that users would rather defeat than enable.
I do easily admit that there are places where trusted implementations of Linux make sense. Off the top of my head "sealed" embedded Linux kernels would make great use of this mechanism. However most Linux desktops do not need another set of tools to lock down security. The kernel should offer the generic facilities but I'll be disappointed if it is forced enabled on all kernels.
To do an "nightly update" on a Fedora machine you do this:
% yum -y update
Works great, scales well (throttled by network bandwidth). I don't even have to be there to do it. A regular user can continue to use the machine happily. If it requires a reboot then that can be done much later unless flakiness arrises. The point is it doesn't interrupt my work nor the user's work.
To do a "nightly update" on Windows you have to:
- Go physically find the machine if you have no deployment tools or remote desktop.
- Login if no one is there. If someone is there, remind them to click on the icon on the try to patch their machine ("Please, sooner than later"). The worst: boot someone off the machine who locked their desktop. Whatever they were working on is gone.
- If you are lucky, the patch itself requires no real user interaction. If you are unluck, be prepared to get a lot of calls on the help line asking "Should I click 'I accept'? What is this?".
- If you are lucky, you don't have to reboot. More often than not you have too. Not so bad for desktops although many will wait for their Lunch break to do it. So very bad for live servers because you have actually schedule time to do it.
- If you are really lucky, nothing else goes wrong. People go back to work. Reading around it appears on some configurations that one of the patches makes the system unbootable. If you are slighly less luck it is just booting into the Admin console and fixing the problem. The alternative is well....unpleasant. I don't have time to monkey with an individual workstation since there are several more people having problems. Reformat/restore from the stock image if the simple fixes don't work.
I can't say I want any of the Linux machines to behave like how Microsoft does Windows update. Yum and apt-get are infinitely more pleasant to work with. The problem isn't with Window's Update though...it is with the fact that patching Windows sucks.
Why wait a month? Because their patching system blows. They didn't learn lessons learned decades ago about how to patch core components and kernel services and now we live with this every day (or month as the case maybe).
Patching a single Windows machine is difficult especially if you are a novice (many still don't understand why computers "just don't work"). Patching many Windows machines is hard. Patching a live server is hard. Considering how hard some of the patching is on some machines you might even want to consider waiting a few more days to the weekend to apply this patch to patch them especially since one of the patches fixes exploits that are mitigated by using firewalls. Reguardless Windows is so hard to patch you can't have the "on the fly" patching other platforms feature.
It is really lesser of two evils. You can either spend almost all of your time patching or you can lump the difficult time in one large shot. If MS dropped patches when ever they felt it was complete (which is good for security!) you finished updating the entire enterprise (this might take a weeks if not a month with serious stuff like SP 2) you'd have to start over and do it again for a brand new one. So on and so forth.
The real problem is "patching Windows is hard". The "fix" right now to this is pushing patches once a month. As long as Windows is hard to patch then there is no other real solution to this horrible situation MS sold us on.
What I read between the lines is that Larry McVoy is more than willing to provide some sort of facility to export data in a native format however for one reason or another this wasn't sufficient for what Tridge wanted so he went ahead and did it himself.
Maybe it was a matter of timelines (Tridge can provide the functionality faster than McVoy). Maybe Tridge has a neat idea on extending bk functionality with preexisting bk protocols. Maybe he wanted to do anyway for kicks. The point is that if done right reverse engineering is fine but McVoy freaked out.
As for the reason why Tridge has said very little is that he is probably been instructed by his lawyers to say very little on the matter. I can't blame him the way McVoy is freaking out...
Torvalds now has to deal with the mess which clearly would have been avoided if bk was Open Sourced to begin with. Tridge would have just tossed his improvements in with the rest to be merged. Now we have a mess where Torvalds doesn't have a way for exporting bk data and can't use bk now.
I wouldn't have any problems with cutting funding for tracking and communications for the Voyager probes if and only if that 4 million is put into something worthwhile. Oh say, just a wild idea...how about a Voyager 3??
But I have this sneaking suspicion that the money is just going to be cut along with other NASA expendatures just so we can pay down debt and sponsor more stuff going on in Iraq. Oh well...that stuff is important too but it is still a bitter pill.
There is already network hardware that will drop machines into a "sealed" network if they detect anything wrong. They will get a rude awakening when they suddenly can't surf to hotmail.com because they've been disconnected from the general network due to detection of bad traffic. But this stuff isn't exactly cheap.
In any event, this might be a great idea for small install bases but if you have administer a number of machines this is not feasible. Having to remotely monkey with machine is enough of a burden in Windows. Having to physically move from machine to machine is bonkers (especially when co-located).
And people wonder why I laugh at the Cost of Owernship of Windows being cheaper than other productions. All of these hoops you have to jump through to keep the thing running.
I don't see this as a human failure but more of an unrealistic expectation with limited resources. In short any project will encounter any number of problems along the way most of which were never dreamt of during the meeting room planning phase. The best planners try to learn from past experiences to plan for the semi-cyclic stuff but in the end there are too many variables that will interfere. From the mundane (a server blows up taking out internal development for a couple of days) to the rare (a developer is run over by a bus).
Who can ever plan for that? The best scheme I've seen is make a solid "best situation" plan, set key miletones to check "sanity" along the way, and then double it.
It is quite hefty but then this is what I expect from "Service Packs" especially in one giant chunk.
"Download time remaining: 22 minutes"
So now I'm chained to box since I suspect at some point I need to click something on some dialog to complete installation (this is an assumption but past history on other updates tells me I should watch the process to make sure it goes all the way through).
On the other hand I had to setup sever based off of FC3 yesterday and out of the box it required to download 450MBish of stuff broken into 150+ individual downloads. After installing the gpg keys, I started the update ('yum -y update') and walked away from it. Other systems have something that is just as easy and dare say fool proof.
I would really like MS to bite off things in smaller chunks. I do recognize the fact that every part of the 329MB download is probably necessary but why not roll out in both a large chunk and small chunks to accomidate different enterprise configurations? I like having options on rollout but I constantly find Windows rollouts very lacking.
Is English the ultimate 'pidigin' language? *shrug* It does seem to absorb everything.
English is built upon 30% French, 30% 'Latinate', 30% West German, and the rest is what was lying around the British Islands (Celtic, Galegic, etc.). All of these influences happened because Britan was invaded...a lot. It has touched many cultures and been everywhere. Grammar and spelling rules are more dictated by historical reasons than pheonetic. It is also heavily 'exported' all over the world due to world influence of Britian and now the US.
Is it bad that Instant Messenger programs and computers communciation in general is changing English? Not really. It just shows that English is very much a living language. Besides I consider it to be a transitive thing: people generate grammatic errors and chose different patters because of the keyboard input. Once technology evolves to something different for the primary Human-Machine interface then this will be less of an issue.
Computers are still tools. A tool that can help or hurt. As much as I have used a computer to create I've also found that it is easier to use one to waste a lot of time. This isn't necessarily bad...playing Half-Life 2 is a complete waste of time in the grand scheme of things but it is for my well being.
One thing I feel many parents are missing is the concept of balance. Parents are constantly pushing "work" and punishing "play" when what is really needed is to strike the balance between them. If parents don't do they kids go off to college and find out just how much "play" there is in the world and end up ignoring a lot of "work" and making a messy situation.
Doesn't OpenBSD still install 'ftpd' by default? Although it is not turned 'on', the fact is it is still on the file system ready for exploit and requires rigoriously patched unless you take steps to remove it. Doesn't this seem like a dubious definition?
I'm all for making special install kernels and distros "out of the box" to be as hardened as possible. I would love see many distros do a "paranoid" configuration. There are plenty of things OpenBSD does right but that does not excuse OpenBSD. Just like Linux and every other operating system out there, they can still strive to do better.
I don't know of all of the details but it seems just like how DVDs are supposted to be secure and encrypted all along the decoding chain. We all know how well that turned out. And ultimately we must think was it such a bad thing to have the encryption broken? It maybe purely coincidental but it looks to me like people were happier and more willing to buy DVD hardware in computers once this was broken and made openly available.
In general, security is about holding secrets in the right places. Putting secrets in the portable hardware is not the smartest thing to do. Isn't it is like taping the key to your front door on your front door? Help me understand why this is a good idea beyond vague marketing?
If it means no more dubious "magizines" like [i]Think Secret[/i] and their ilk then bust out the crystal and caviar!
Too many people fail to realize that this case was about people breaking NDAs and shielding them. [i]Think Secret[/i] isn't doing the world any favors. They are air Apple's clean laundry (as opposed to their dirty ones). I'm pretty sure that any other reputable journalistic publication would have scrapped any story that was based on the stealing of information like this.
Simply put, unless it had something to do with Apple using child slave labor or something equally henious against the public good, why does anyone involved think they can ignore Apple's carefully crafted NDA?