If the thing already runs QNX, what's the possibility of just hacking through whatever sort of UI stuff that automagically boots from the built-in flashdisk thing and just getting a basic QNX system running on it.
I lucked out when I bid on one on eBay and the fellow running the auction responded that he had a whole pile of 'em, so I bought a whole pile of 'em. eBay usually has a few listings for "Original IBM keyboard" or "clicky style IBM keyboard" or something, usually for pretty good prices. If you're lucky like I was, the auctioneer has several listed and you might be able to get directly in touch to buy several.
The biggest reason I've never switched to an ergo keyboard is because I still use a big clunky IBM keyboard from 1987 simply because I LOVE the feel of the keys. If I could find an ergo keyboard with the same key feel (like if IBM made an ergo keyboard...) I would switch in a second because I have lots of wrist/hand problems from typing so much. Are there other IBM keyclick lovers out there who have found an ergo keyboard they are happy with?
As far as I'm aware, Sun's "official Linux JDK" is *not* the same as the Blackdown release - this is still the Sun/Inprise release. Sun *have* given Blackdown some credit for the port since the Sun/Inprise version is based on an earlier version of the Blackdown codebase, I assume they have miraculously managed to learn from their earlier mistake.
An important distinction between the two is that the "official Sun JDK" does NOT support native threads and in fact recommends NOT running it on SMP machines, while the Blackdown release does native threads and SMP just fine.
While I applaud Victor's plan to allow Linux users royalty-free license to the patent, the fact is that already there is some amount of controversy with questions like, "Well what about BSD users? Hurd? What about other open/free OS's that might accidentally 'discover' the same way of doing things? If Victor doesn't sue them for patent infringement, does that open the doors for a Microsoft or a Sun to come in and use it 'illegally' without paying a license?"
I just think that no matter who, no matter what, no matter how, no matter why, software patents are simply a Really Bad Thing for programmers.
I'm just curious, did you ever inform the LinuxOne sales drone that you were recording that conversation? If not, you could get into some serious, serious trouble. Remember President Nixon?
"...Hurd is Object Oriented, unlike Linux, so it may be a superior system in the long run."
I'm sorry, usually I try to stay away from straight-flamage type comments, but I can't help myself this time.
What the hell is that statement supposed to mean? What makes an "Object Oriented" OS "better" than another that's not "Object Oriented"? What do you mean by saying the OS is "Object Oriented" anyway? By extrapolation, does this mean we can now definitively say that since C++ is "Object Oriented," it may be a superior language to C in the long run? (And if so, is Hurd written in obviously superior C++ or obviously inferior C?)
Hurd goes about supplying services to the system processes and end-user in a different way than Linux does. They're different. That's it. End of story. If you think "the way Hurd does it" is "better" then fine, that's your opinion. Better people than you have had similar opinions; go search the 'net and find that legendary exchange between Torvalds and Tannenbaum regarding why a microkernel is superior and why Linux is doomed to failure because it's monolithic.
This is one of the most incredibly content-free, flame-inviting statements I've seen in the main body of an article on/. for a long time.
For like years those guys had a link on their Media Player page to some kind of "Beta" version of a Linux player that for all reports (never tried it myself) was very half-hearted and half-assed, just so they could say they were "multiplatform." It's just FUD, misdirection, propaganda, bandwagoning, whatever....
You'll never see Lightwave ported to Linux. The company (not the developers) seem to be vehemently opposed to it for some reason. (Alan and Stuart on the other hand have repeatedly said that supporting new architectures/OS's is a matter of a day or two's work porting over the interface/framework code and then running make.) Since NewTek currently has SGI, Mac and Sun ports of Lightwave, one would assume that if you could convince them that the Linux market was larger than the SGI/Sun combined, they might think about it, but don't hold your breath. (Especially since they've outsourced the SGI, Mac and Sun ports to other companies who actually do the porting and support, which is why the non-NT versions are usually a couple of revs behind the NT version.) I've actually spoken with NewTek management about sponsoring a Linux port and gotten nowhere, despite they're having said publically that "if someone can present us with a viable business plan for producing a port of the program, we'll give them the code."
If you poke around on the A|W site, you'll find information about becoming a beta-tester for the Linux beta of Maya. You'll have to find it yourself because I don't want to cut into my chances of actually making the cut.:)
Softimage, I don't know, although it would be really nice to see. Avid has owned Softimage for a couple of years now, and Softimage development is actually done by some company in Germany I think, (rather like the way 3DSMax is, or was, owned by Autodesk but developed by Kinetix.) so it's kind of confusing to follow, but IIRC, they do at least offer their Mental Ray rendering engine on Linux and have for a couple of years now.
Do we know this is for real and not someone trying to hoax slashdot? (Not that I wouldn't necessarily be pro- a prank like this that would bring peoples' attention to the stupidity of the DVD industry...) I can't really get the.no registrar to do what I want it to as far as finding out who actually owns mmadb.no and so on...
The big trouble with IDE is still that they are "dumb" devices that require CPU resources to manage. On workstations doing lots of disk access I can see NOTICABLE performance degradation between similar hardware, one of which is IDE, the other of which is SCSI. The nicest thing about SCSI is the fact that the controller offloads all disk management off of the system's CPU. If you're doing power computing, this makes a big difference. Also, as someone else mentioned, IDE has real problems allowing the system to manipulate multiple drives simultaneously, a problem SCSI does not have. For some schmuck just dicking around with Netscape so they can browse the web, who cares, but for hardcore users with big machines trying to get real work done, it can make a legitimate difference.
From a server perspective, there's no question that SCSI is the best. Just TRY putting more than four IDE drives into a Linux box without tearing your hair out and threatening to take a shotgun to the thing. The only way to do it is to get some sort of additional IDE controller like the Promise controllers which are unmitigated junk. I don't even want to mention the hoops I've gone through to to get a Promise Ultra33 stable in my Linux server. What makes it worse is that I could buy the four IDE drives I put in there for about the same price as I would have been able to pick up two SCSI drives of about the same size. (It's not that SCSI is so tremendously expensive as much as it is that IDE is just dirt cheap.) More unfortunately, I needed the space and I didn't have the extra money, or I *would* have just gone with SCSI. (As it turns out, I spent so much time trying to get the IDE drives working, I probably *should* have just gone SCSI from the get-go and saved myself money in the long run from doctor's bills from high blood pressure and ulcers trying to build an IDE-based server will give me.)
I see the whole "IDE vs. SCSI" thing as yet another case of mediocrity winning the battle. It doesn't have to be great as long as it's cheap and good enough to get the public to buy it. For those of us who like quality, we just have to pay so much more. Unfortunately, unlike the software industry, there's no way to start an "Open Source/Free Hardware" movement to force the other manufacturers to start focusing higher on quality.
The bumblebee (and other insects like dragonflies and houseflies that have similar flight surfaces) *use* the vortexes that their wing flaps generate to cause a slight vaccuum above the wing, which creates additional lift, in addition to the normal lift from the wings' downbeat. Dragonflies in particular take advantage of the weird turbulences their wings generate to do all the amazing dragonfly types of things they do in the air.
I could have sworn I had seen a reference to some scientist at Berzerkely (I think) right here on Slashdot who had recently built like a 50x scale model of a bumblebee to study its aerodynamic properties and come up with the canonical explanation of how they manage to stay aloft.
I've been trying to mess around with potato on and off for the last few weeks and have had nothing but problems getting it installed, despite the number of people saying things like "I've been running potato for months with no problems..." Things like broken package dependencies, inconsistent Package files vs. what's actually on the site, etc. Only just the other day did I manage to actually get a potato installation to complete successfully, and apparently it's because the developers were preparing to freeze it...
I've been wanting to play with Debian for some time (I usually run RedHat because it stays fairly recent and usually works) but running slink was like being stuck in the stone age. I hope the Debian fellows have some kind of plan for more frequent updates, or at least more in line with the rest of "the Linux world." (i.e. not having your stable distro using Kernel 2.0 with glibc 2.0 when 2.2 and 2.1 have been out and stable for almost as long as your distro.)
No not really. I've come to the conclusion that the/. gang just doesn't want to release the code for whatever reason and just uses the "the code's ugly, it still has bugs, it only works on our systems" rationalizations as excuses. Why? Who knows. Who cares. There are a number of other products out there now, like Squishdot that HAVE released the code, so I'll use those instead.
As for the usefulness of SourceForge code, you better believe it! I work for a small software shop - one that's too small to be able to afford to buy some Big Brand Name project management software. Not that that's ever really hurt us - we're using pretty much all the same tools that SourceForge is front-ending, which means that if I can slap SourceForge on top of the stuff we're already doing, whammo, I have instant web-based project management for our little company and the only thing it cost us was the time it takes me to get it set up! And besides, I'll have all the code that makes it run, so I can easily modify it to suit our needs if I need to! Yes, my time is valuable and I could have been out there working on pay projects, but I think the end-result is much more valuable to us than if we had bought some closed-box software of which we didn't understand the inner workings.
From what I understand (I don't use their products directly myself but work with several people who do) "Secure Computing's patented Type Enforcement technology" is basically a variety of a "capabilities" system, which are already under development from a couple of angles on the Linux front. (And in some small part already part of the 2.2 kernels, although it's way beyond my knowledge what, if anything, you can use them for right now.) Not that it wouldn't be A Good Thing to have yet another player in the game, but this technology shouldn't be looked at as anything too ground-shattering.
Secure Computing, from all indications, is probably the best of the major firewall/security vendors to have gotten involved with this sort of project in terms of "with-it-ness" and overall technological knowhow.
This project is probably something Secure Computing themselves were interested in already. Most of their products are run on heavily-modified versions of BSDI 1.x, for which they purchased a source license many years ago, which means they carry along all the baggage of what sort of hardware compatibility that ancient version has, namely very little at this stage in the hardware game. (For example, the last time I was around to help set up a Secure Computing firewall, we had to dig up an old ISA Adaptec 1542 SCSI controller for the box.) I'm sure they were just waiting for one of the FreeOS's to reach a state of stability that they could grab the sources and mod them to work for their own uses. I would guess that they picked Linux over one of the BSD's at this point based on hardware compatibility or market share as opposed to strictly technical reasons since they obviously have people who are very familiar with the BSD kernel on-staff already.
It will be interesting to see what they do with any mods they make to the kernel, since I predict they'll be using their hardened Linux kernel as the base for new product lines in the same manner they're using their hardened BSDI kernel now. Since they'll be shipping binaries to customers, the GPL will require them to also ship source code, unless they manage to figure out how to harden the kernel strictly using modules, which I don't see as possible.
"This is the danger of anti-trust law and the seemingly logical arguments that support those laws. I don't mean to say that you're wrong, because these issues are notoriously slippery, I mean to say that it is by no means this simple."
I absolutely agree. I'm not even sure that I would say that a Verisign/Thawte merger *should* be considered a "monopoly", only that it would certainly, for *many* reasons, be "bad" for the industry.
In fact, as I sort of skirted around in the previous comment, I don't even think the best solution to the problems that would certainly arise from a merger between these companies would be to disapprove the merger but to revamp the way secure communications happen over HTTP. As someone else pointed out in another comment somewhere, IPSec is something that might make the merger a moot point anyway, but I think the deployment timeframe for IPSec will prevent it from being a "total" solution for some years.
"Your argument is that there is a significant barrier to entry into the market and that competitors cannot easily begin to compete because of this barrier."
Not entirely, just that several barriers exist, two of which (the list of CAs that come with the browsers today and the relative cost and/or difficulty of becoming a company that people will trust to verify the identies of sites on the 'net) aren't even really related to a server's ability to do encryption. If it were just a matter of writing some new software, you've gotta admit the entry to the market would be a lot easier since all you'd need were some good programmers as opposed to trying to make some sort of "Relationship" between yourself and the browser makers and also the ability to accurately do identity verification.
The biggest problem, as I see it, is that the way SSL happens, you HAVE to have a CA before your server can effectively do SSL, even though the signing of your certificate has nothing directly to do with the fact that your SSL server can do encrypted HTTP traffic.
The fact that SSL server act the way they do causes lots of problems with a situation like this because you can't really "blame" Verisign or Thawte for making SSL happen the way it does - so is it their problem that you need to get a CA to sign your certificate before your browser will stop complaining about an invalid certificate? Does that mean you shouldn't let them merge? Isn't it Netscape's "fault" for designing SSL the way it is that you have to have a signed certificate to do SSL? Is the the browser's manufaturer's faults for not making the error messages more descriptive that a certificate signed by someone not in the built-in list of CAs has no bearing on the security of the connection?
Every time I have to deal with setting up a new SSL server, it just reaffirms my conviction that the whole SSL thing just needs to be redesigned to avoid these issues to begin with. Have one part of the spec handle encrypted communications and another part entirely deal with the certificate/identity part of the issue. (I'm sure the reason it's done the way it's done is because Netscape believed that by now there would be so much encrypted commerce over the internet by now, between companies and individuals, that the X.509 certificate on the parts of both parties would be an invisible part of the situation to the point that you would simply go to a website and click "buy this" and the server would initiate some sort of secure connection to get *your* X.509 identity and handle all the commerce stuff invisibly, instead of the more-or-less invasive method of going to the secure server and filling out a bunch of HTML forms with your personal information that we're actually doing.)
And besides, it would make me feel better if we didn't need the CAs to do SSL because I get so irked that they like to claim that they're a necessary part of doing secure communications over the Web, when that's such a misleading statement. And Verisign's the worst because they don't even do the part of the job they're supposed to do (identity verification) very well and still want to gouge you for hundreds of dollars to do it.
A lot of comments are asking "Why is this such a bad thing? If Verisign/Thawte just get too big and snooty, other competing companies will spring up and the market will regulate itself." Except that it doesn't work this way.
What Thawte and Versign do isn't exactly related to the encryption part of SSL, it's related to the X.509 certificates of sites that implement SSL. A site can do SSL without a certificate signed by Thawte or Versign, but if the Certifying Authority that signed the certificate doesn't have its own signature in the lists of CAs maintained by the browsers (Netscape and MSIE include a list of CAs on the local machine when they get installed; I'm not sure how other browsers handle it.) then the browser will pop up some manner of error message when the site is contacted to the effect of "This site's certificate is signed by someone we don't know, do you want to continue?" It doesn't affect the server's ability to do SSL traffic - it can still do that - it only affects the browser's ability to verify that the certificate assigned to the site is who it says it is. (i.e. if you go to a site called www.mcdonalds.com to buy burgers over the 'net, you can look at the certificate to verify whether or not this is really the place that has the golden arches out front by the information in their certificate.)
The problem here is that probably 95% of the people doing e-Commerce on the net today are going to balk at a purchase if ANY sort of message box that looks like an error box pops up. It doesn't matter if you explain to them that the message only means that the browser doesn't recognize the authority that signed the certificate and that traffic is still encrypted when you communicate with the server, like my mom, they're just going to see an error message and freak out and not want to to business there. (In addition, I've personally had problems with MSIE properly passing information from forms when connecting to a secure site before we get the valid certificate installed. With the "Push here to connect to our secure server" button, ID information we might want to pass across to the secure server seems to get vaporized or something in the process of the user clicking the "Ok, connect anyway" dialog.)
So why can't some new, faster, better CA pop up and just start doing business? Because they're signature isn't in the tens of millions of copies of Netscape and MSIE that are already active on the internet. Why can't they just get their signature into the new version? They can, I suppose, although after looking into it from a developer's perspective, I've not been able to find out how one would go about doing this other than I suppose contacting Netscape/AOL or Microsoft directly and passing along various salespersons until you found the person who could tell you how you could pay to have your CA's signature put into the next version. It still doesn't help the millions of people who haven't upgraded yet and will still get that error message.
Further, even if you could manage to get your signature into the new versions of the browsers, there's still the issue of what a CA is supposed to do. The CA exists to verify that the server is run by who it says it is. That means when you go to www.mcdonalds.com to buy burgers and check the certificate and it says "McDonald's, Inc." the CA had better have done its job and verified that the server is indeed being run by the golden arches people. If not, and the customer gets a load of rancid meat, I don't know what kind of liability comes into play, but in the U.S. anyway, someone's probably going to try to sue someone. It's hard to run the kind of services you need to be able to do this sort of thing reliably out of your living room, which means that the cost of entry is rather high. (This is completely ignoring the fact that most CA's I've dealt with lately just seem to accept any old thing you feel like faxing them with whatever letterhead you can throw together. As long as I have a Microsoft Word Form Letter Wizard that can put the McDonald's logo on my letterhead, I could probably get a certificate signed by one of the big CA's stating that I'm McDonald's, Inc.)
So, the problem with this merger is that if you combine Thawte and Verisign, they not only have 99% of the market, but also they, or subsidiaries of those two companies, are most of the CA signatures included with the current version of your web browser. The monopoly is not only in the market share, but also in the fact that the browsers themselves limit the number and which companies are "allowed" entry into the business without generating error messages on the client machines.
One solution would be to seperate out the encryption from the trust capabilities; i.e. don't make having a valid X.509 certificate on your site a prerequisite for doing encryption. Or at least program the browser differently so the error message just warns about an unsigned certificate but specifically states that encryption is still capable, you just can't verify that the site is run by who it says it is. Again, this still doesn't fix the problem of the millions of people using current or old versions of the browsers out there right now.
Ok, so I thought that "Caldera, Inc." spun off "Caldera Thin Clients" into "Lineo" and then became "Caldera Systems, Inc." but according to some of the posts under this article, "Caldera, Inc." is apparently still around? I'm confused.
What does "Caldera, Inc." do anymore, or are they just a company that exists for the express purpose of suing Microsoft since "Caldera Systems, Inc." is the "OpenLinux company" and "Lineo" is the "embedded Linux, DRDOS, etc. company" or do I have that all screwed up, despite looking on all their websites.
(FWIW, "www.caldera.com" and "www.calderasystems.com" are identical and feature Open Linux, "www.lineo.com" is what you would expect with Embeddix, Embrowser, DRDOS, etc, and "www.calderainc.com" forwards to "www.drdos.com", the only content on which is information about the "Caldera vs. Microsoft" lawsuit.)
Today, Microsoft and Caldera settled their long-standing lawsuit in which Caldera claimed Microsoft used its dominance with Windows 3.1 eliminate DR-DOS, which Caldera obtained from Novell in 1996, as a competing operating system.
Bryan Sparks, CEO of Caldera said, "We are happy to have finally settled this lawsuit to the satisfaction of both companies" while casting furtive glances at the two hulking, brutish men in black suits, dark glasses and Microsoft employee badges standing behind him.
You eat them to freak out your mundane office co-workers who have no clue there is such a thing as packing peanuts made of corn starch or rice starch or whatever they're made of.
The look on their faces when I grabbed a handfull and shoved them in my mouth and then SHOWED them I had actually swallowed them was priceless...
Baryonic matter is the sort of matter we find in this universe. i.e. stuff made of protons, electrons and neutrons. non-baryonic matter would be made of other particles, which would be extremely strange, but some scientists have a theory that the "missing mass" of the universe may in fact be non-baryonic matter, which is why we have a hard time finding it.
I don't consider "We are making it appear through press releases that we own the patent on displaying Windows apps remotely on X Windows, but if you are a patent lawyer and study the patent in close detail, you might find out that its coverage is not quite as broad as we are proclaiming it to be" an ethical business practice.
The movie sucked anyway. What I want to know is when the Indiana Jones trilogy is going to be released on DVD! *That* one I would snap up in a heartbeat!
Slashdot Mirror
-=-=-=-=-
-=-=-=-=-
-=-=-=-=-
An important distinction between the two is that the "official Sun JDK" does NOT support native threads and in fact recommends NOT running it on SMP machines, while the Blackdown release does native threads and SMP just fine.
-=-=-=-=-
I hope someone at Sun is feeling like an idiot about now. (But probably not. He probably has his head too far up his @$$...)
-=-=-=-=-
I just think that no matter who, no matter what, no matter how, no matter why, software patents are simply a Really Bad Thing for programmers.
-=-=-=-=-
-=-=-=-=-
I'm sorry, usually I try to stay away from straight-flamage type comments, but I can't help myself this time.
What the hell is that statement supposed to mean? What makes an "Object Oriented" OS "better" than another that's not "Object Oriented"? What do you mean by saying the OS is "Object Oriented" anyway? By extrapolation, does this mean we can now definitively say that since C++ is "Object Oriented," it may be a superior language to C in the long run? (And if so, is Hurd written in obviously superior C++ or obviously inferior C?)
Hurd goes about supplying services to the system processes and end-user in a different way than Linux does. They're different. That's it. End of story. If you think "the way Hurd does it" is "better" then fine, that's your opinion. Better people than you have had similar opinions; go search the 'net and find that legendary exchange between Torvalds and Tannenbaum regarding why a microkernel is superior and why Linux is doomed to failure because it's monolithic.
This is one of the most incredibly content-free, flame-inviting statements I've seen in the main body of an article on
-=-=-=-=-
-=-=-=-=-
If you poke around on the A|W site, you'll find information about becoming a beta-tester for the Linux beta of Maya. You'll have to find it yourself because I don't want to cut into my chances of actually making the cut.
Softimage, I don't know, although it would be really nice to see. Avid has owned Softimage for a couple of years now, and Softimage development is actually done by some company in Germany I think, (rather like the way 3DSMax is, or was, owned by Autodesk but developed by Kinetix.) so it's kind of confusing to follow, but IIRC, they do at least offer their Mental Ray rendering engine on Linux and have for a couple of years now.
-=-=-=-=-
-=-=-=-=-
The big trouble with IDE is still that they are "dumb" devices that require CPU resources to manage. On workstations doing lots of disk access I can see NOTICABLE performance degradation between similar hardware, one of which is IDE, the other of which is SCSI. The nicest thing about SCSI is the fact that the controller offloads all disk management off of the system's CPU. If you're doing power computing, this makes a big difference. Also, as someone else mentioned, IDE has real problems allowing the system to manipulate multiple drives simultaneously, a problem SCSI does not have. For some schmuck just dicking around with Netscape so they can browse the web, who cares, but for hardcore users with big machines trying to get real work done, it can make a legitimate difference.
From a server perspective, there's no question that SCSI is the best. Just TRY putting more than four IDE drives into a Linux box without tearing your hair out and threatening to take a shotgun to the thing. The only way to do it is to get some sort of additional IDE controller like the Promise controllers which are unmitigated junk. I don't even want to mention the hoops I've gone through to to get a Promise Ultra33 stable in my Linux server. What makes it worse is that I could buy the four IDE drives I put in there for about the same price as I would have been able to pick up two SCSI drives of about the same size. (It's not that SCSI is so tremendously expensive as much as it is that IDE is just dirt cheap.) More unfortunately, I needed the space and I didn't have the extra money, or I *would* have just gone with SCSI. (As it turns out, I spent so much time trying to get the IDE drives working, I probably *should* have just gone SCSI from the get-go and saved myself money in the long run from doctor's bills from high blood pressure and ulcers trying to build an IDE-based server will give me.)
I see the whole "IDE vs. SCSI" thing as yet another case of mediocrity winning the battle. It doesn't have to be great as long as it's cheap and good enough to get the public to buy it. For those of us who like quality, we just have to pay so much more. Unfortunately, unlike the software industry, there's no way to start an "Open Source/Free Hardware" movement to force the other manufacturers to start focusing higher on quality.
-=-=-=-=-
The bumblebee (and other insects like dragonflies and houseflies that have similar flight surfaces) *use* the vortexes that their wing flaps generate to cause a slight vaccuum above the wing, which creates additional lift, in addition to the normal lift from the wings' downbeat. Dragonflies in particular take advantage of the weird turbulences their wings generate to do all the amazing dragonfly types of things they do in the air.
I could have sworn I had seen a reference to some scientist at Berzerkely (I think) right here on Slashdot who had recently built like a 50x scale model of a bumblebee to study its aerodynamic properties and come up with the canonical explanation of how they manage to stay aloft.
-=-=-=-=-
I've been wanting to play with Debian for some time (I usually run RedHat because it stays fairly recent and usually works) but running slink was like being stuck in the stone age. I hope the Debian fellows have some kind of plan for more frequent updates, or at least more in line with the rest of "the Linux world." (i.e. not having your stable distro using Kernel 2.0 with glibc 2.0 when 2.2 and 2.1 have been out and stable for almost as long as your distro.)
-=-=-=-=-
-=-=-=-=-
As for the usefulness of SourceForge code, you better believe it! I work for a small software shop - one that's too small to be able to afford to buy some Big Brand Name project management software. Not that that's ever really hurt us - we're using pretty much all the same tools that SourceForge is front-ending, which means that if I can slap SourceForge on top of the stuff we're already doing, whammo, I have instant web-based project management for our little company and the only thing it cost us was the time it takes me to get it set up! And besides, I'll have all the code that makes it run, so I can easily modify it to suit our needs if I need to! Yes, my time is valuable and I could have been out there working on pay projects, but I think the end-result is much more valuable to us than if we had bought some closed-box software of which we didn't understand the inner workings.
-=-=-=-=-
Secure Computing, from all indications, is probably the best of the major firewall/security vendors to have gotten involved with this sort of project in terms of "with-it-ness" and overall technological knowhow.
This project is probably something Secure Computing themselves were interested in already. Most of their products are run on heavily-modified versions of BSDI 1.x, for which they purchased a source license many years ago, which means they carry along all the baggage of what sort of hardware compatibility that ancient version has, namely very little at this stage in the hardware game. (For example, the last time I was around to help set up a Secure Computing firewall, we had to dig up an old ISA Adaptec 1542 SCSI controller for the box.) I'm sure they were just waiting for one of the FreeOS's to reach a state of stability that they could grab the sources and mod them to work for their own uses. I would guess that they picked Linux over one of the BSD's at this point based on hardware compatibility or market share as opposed to strictly technical reasons since they obviously have people who are very familiar with the BSD kernel on-staff already.
It will be interesting to see what they do with any mods they make to the kernel, since I predict they'll be using their hardened Linux kernel as the base for new product lines in the same manner they're using their hardened BSDI kernel now. Since they'll be shipping binaries to customers, the GPL will require them to also ship source code, unless they manage to figure out how to harden the kernel strictly using modules, which I don't see as possible.
-=-=-=-=-
I absolutely agree. I'm not even sure that I would say that a Verisign/Thawte merger *should* be considered a "monopoly", only that it would certainly, for *many* reasons, be "bad" for the industry.
In fact, as I sort of skirted around in the previous comment, I don't even think the best solution to the problems that would certainly arise from a merger between these companies would be to disapprove the merger but to revamp the way secure communications happen over HTTP. As someone else pointed out in another comment somewhere, IPSec is something that might make the merger a moot point anyway, but I think the deployment timeframe for IPSec will prevent it from being a "total" solution for some years.
"Your argument is that there is a significant barrier to entry into the market and that competitors cannot easily begin to compete because of this barrier."
Not entirely, just that several barriers exist, two of which (the list of CAs that come with the browsers today and the relative cost and/or difficulty of becoming a company that people will trust to verify the identies of sites on the 'net) aren't even really related to a server's ability to do encryption. If it were just a matter of writing some new software, you've gotta admit the entry to the market would be a lot easier since all you'd need were some good programmers as opposed to trying to make some sort of "Relationship" between yourself and the browser makers and also the ability to accurately do identity verification.
The biggest problem, as I see it, is that the way SSL happens, you HAVE to have a CA before your server can effectively do SSL, even though the signing of your certificate has nothing directly to do with the fact that your SSL server can do encrypted HTTP traffic.
The fact that SSL server act the way they do causes lots of problems with a situation like this because you can't really "blame" Verisign or Thawte for making SSL happen the way it does - so is it their problem that you need to get a CA to sign your certificate before your browser will stop complaining about an invalid certificate? Does that mean you shouldn't let them merge? Isn't it Netscape's "fault" for designing SSL the way it is that you have to have a signed certificate to do SSL? Is the the browser's manufaturer's faults for not making the error messages more descriptive that a certificate signed by someone not in the built-in list of CAs has no bearing on the security of the connection?
Every time I have to deal with setting up a new SSL server, it just reaffirms my conviction that the whole SSL thing just needs to be redesigned to avoid these issues to begin with. Have one part of the spec handle encrypted communications and another part entirely deal with the certificate/identity part of the issue. (I'm sure the reason it's done the way it's done is because Netscape believed that by now there would be so much encrypted commerce over the internet by now, between companies and individuals, that the X.509 certificate on the parts of both parties would be an invisible part of the situation to the point that you would simply go to a website and click "buy this" and the server would initiate some sort of secure connection to get *your* X.509 identity and handle all the commerce stuff invisibly, instead of the more-or-less invasive method of going to the secure server and filling out a bunch of HTML forms with your personal information that we're actually doing.)
And besides, it would make me feel better if we didn't need the CAs to do SSL because I get so irked that they like to claim that they're a necessary part of doing secure communications over the Web, when that's such a misleading statement. And Verisign's the worst because they don't even do the part of the job they're supposed to do (identity verification) very well and still want to gouge you for hundreds of dollars to do it.
-=-=-=-=-
What Thawte and Versign do isn't exactly related to the encryption part of SSL, it's related to the X.509 certificates of sites that implement SSL. A site can do SSL without a certificate signed by Thawte or Versign, but if the Certifying Authority that signed the certificate doesn't have its own signature in the lists of CAs maintained by the browsers (Netscape and MSIE include a list of CAs on the local machine when they get installed; I'm not sure how other browsers handle it.) then the browser will pop up some manner of error message when the site is contacted to the effect of "This site's certificate is signed by someone we don't know, do you want to continue?" It doesn't affect the server's ability to do SSL traffic - it can still do that - it only affects the browser's ability to verify that the certificate assigned to the site is who it says it is. (i.e. if you go to a site called www.mcdonalds.com to buy burgers over the 'net, you can look at the certificate to verify whether or not this is really the place that has the golden arches out front by the information in their certificate.)
The problem here is that probably 95% of the people doing e-Commerce on the net today are going to balk at a purchase if ANY sort of message box that looks like an error box pops up. It doesn't matter if you explain to them that the message only means that the browser doesn't recognize the authority that signed the certificate and that traffic is still encrypted when you communicate with the server, like my mom, they're just going to see an error message and freak out and not want to to business there. (In addition, I've personally had problems with MSIE properly passing information from forms when connecting to a secure site before we get the valid certificate installed. With the "Push here to connect to our secure server" button, ID information we might want to pass across to the secure server seems to get vaporized or something in the process of the user clicking the "Ok, connect anyway" dialog.)
So why can't some new, faster, better CA pop up and just start doing business? Because they're signature isn't in the tens of millions of copies of Netscape and MSIE that are already active on the internet. Why can't they just get their signature into the new version? They can, I suppose, although after looking into it from a developer's perspective, I've not been able to find out how one would go about doing this other than I suppose contacting Netscape/AOL or Microsoft directly and passing along various salespersons until you found the person who could tell you how you could pay to have your CA's signature put into the next version. It still doesn't help the millions of people who haven't upgraded yet and will still get that error message.
Further, even if you could manage to get your signature into the new versions of the browsers, there's still the issue of what a CA is supposed to do. The CA exists to verify that the server is run by who it says it is. That means when you go to www.mcdonalds.com to buy burgers and check the certificate and it says "McDonald's, Inc." the CA had better have done its job and verified that the server is indeed being run by the golden arches people. If not, and the customer gets a load of rancid meat, I don't know what kind of liability comes into play, but in the U.S. anyway, someone's probably going to try to sue someone. It's hard to run the kind of services you need to be able to do this sort of thing reliably out of your living room, which means that the cost of entry is rather high. (This is completely ignoring the fact that most CA's I've dealt with lately just seem to accept any old thing you feel like faxing them with whatever letterhead you can throw together. As long as I have a Microsoft Word Form Letter Wizard that can put the McDonald's logo on my letterhead, I could probably get a certificate signed by one of the big CA's stating that I'm McDonald's, Inc.)
So, the problem with this merger is that if you combine Thawte and Verisign, they not only have 99% of the market, but also they, or subsidiaries of those two companies, are most of the CA signatures included with the current version of your web browser. The monopoly is not only in the market share, but also in the fact that the browsers themselves limit the number and which companies are "allowed" entry into the business without generating error messages on the client machines.
One solution would be to seperate out the encryption from the trust capabilities; i.e. don't make having a valid X.509 certificate on your site a prerequisite for doing encryption. Or at least program the browser differently so the error message just warns about an unsigned certificate but specifically states that encryption is still capable, you just can't verify that the site is run by who it says it is. Again, this still doesn't fix the problem of the millions of people using current or old versions of the browsers out there right now.
I obviously feel very strongly about this issue.
-=-=-=-=-
What does "Caldera, Inc." do anymore, or are they just a company that exists for the express purpose of suing Microsoft since "Caldera Systems, Inc." is the "OpenLinux company" and "Lineo" is the "embedded Linux, DRDOS, etc. company" or do I have that all screwed up, despite looking on all their websites.
(FWIW, "www.caldera.com" and "www.calderasystems.com" are identical and feature Open Linux, "www.lineo.com" is what you would expect with Embeddix, Embrowser, DRDOS, etc, and "www.calderainc.com" forwards to "www.drdos.com", the only content on which is information about the "Caldera vs. Microsoft" lawsuit.)
-=-=-=-=-
Bryan Sparks, CEO of Caldera said, "We are happy to have finally settled this lawsuit to the satisfaction of both companies" while casting furtive glances at the two hulking, brutish men in black suits, dark glasses and Microsoft employee badges standing behind him.
-=-=-=-=-
The look on their faces when I grabbed a handfull and shoved them in my mouth and then SHOWED them I had actually swallowed them was priceless...
-=-=-=-=-
-=-=-=-=-
-=-=-=-=-
-=-=-=-=-