If I manage 10 computers and need to install new software for everyone, I'll bop on down to their desks and install it at night, no biggie. I neither want nor need this turned on.
If I manage 10,000 computers, I'm never going to have the staff to do that. So I'm going to set up an internal repository and make approved applications available on it. Then my Linux image could have this feature turned on, along with a customized list of "approved signing authorities" which would be MY repository server (or servers - I might have one repo for finance apps and another for all users, for example).
If the company approves an application, I put it on the internal repo and tell users it's available if they want/need it.
And if an individual user needs something special, I can still use root to install it for them.
You're doing it wrong if you have to visit their desks in the first place. If you manage 10,000 linux computers you're going to have centralized management of some sort setup already. In the larger centrally managed linux setups I've seen, it's always a custom setup that no one outside of a couple of admins knows how to run - compared to Windows and ActiveDirectory which just about any MS admin can walk in and manage. But that's another gripe I have about Linux.
You missed the point. The Firefox developers all sang in unison that the memory leaks and instability were the result of plug-ins and publicly refused to admit that Firefox had issues, despite the fact that people were posting bugzilla examples of the problems with no plugins installed. Sometimes it was a corrupt profile issue or something gone awry with an upgrade in which case a total nuke and reinstall usually fixed it.
It'd also be nice if verified plug-ins were signed by Mozilla, so the user knew they were safe. Perhaps make use of some of that peer-review that all the OSS folks claim is constantly happening? If it looks kosher, bless it with a digital signature like Microsoft does? Firefox has become a victim of lots of crappy add-ons. Keeping a list of unsafe add-ons would also be helpful (again list MS does).
From a user perspective, this sounds like a good move. Stability problems in Firefox always seems to stem from add-ons or extensions. Lock that crap down, and make the devs code the right way.
Correction - stability problems in Firefox have always been blamed on add-ons or extensions. Of course the developers always became deaf when people having issues with no plug-ins installed.
It's a whole different ballgame if they are using vlans to isolate the control network. Then a hacker just has to penetrate a router or take advantage of poor vlan isolation in some switches. Plus, you're bound to have at least a few employees who just have to have their machine connected to both networks at the same time and think using two network cards is safe.
So when you blind-test your friends they can't tell or even prefer the mp3. Did you blind-test yourself as well? I bet your results are no different than your friends.
...and sudoers under Linux have the privileges of the root account.
One nitpick here. Sudo allows a permitted user to execute a command as the superuser or another user, as specified in the sudoers file. With a properly written/etc/sudoers file, the users are allowed to run specific commands as root. It doesn't given them cart blanche to run any command as root unless they are granted permissions to run either all or a shell.
fluffy99 is right in my experience. There was stuff I couldn't do as an admin group member, when I was programming on Windows server, that I could do as the SYSTEM ACCOUNT. So sometimes when I needed to test a hook on something I would schedule "CMD.exe" to run in the scheduling system and enable interact w/deskop for the job.
Yup, I'm quite familiar with that trick. In particular it was very handy for running regedit and getting to keys under security that only the system account had access to. Nowadays I just use runas to start a cmd prompt with my admin account as needed.
Later on with XP, Microsoft got a bit smarter and created variants of the system account like network_service, local_service, as well as the usual system to help limit the damage that services could do (previously they all either ran as a local user or system). Again a properly hardened system shouldn't be running potentially vulnerable services under an excessively privileged account - under both Windows and Linux.
Counting the bugs is a poor way of determining vulnerabilities. It's not easy to search for vulnerabilities in the Firefox Bugzilla, btw. Unless you know some magic search terms?
Searching on CVE or vulnerability doesn't show you everything. Lots of potential issues get cleaned up along the way as part of other patches and normal development, and are never acknowledged as vulnerabilities. Same thing happens on the Microsoft side of the fence. If a vulnerability is known, it's documented in the KB that issued the patch.
If you want to count known vulnerabilities, just look at 3rd party sites that collect that info like Secunia or Cert.
Disparaging Microsoft because you think they are quietly finding their own bugs and fixing them is backwards. You should be glad they are.
To me a better comparison to make is how long critical vulnerabilities exist before they are patched. Microsoft obviously loses that comparison as they like to adhere to the monthly patch cycle and often delay action for privately reporting issues. Given how much IE is interlaced with other products, Microsoft also has to be more careful about patches than Mozilla Firefox which is much more of a standalone product.
That depends entirely on what rights are granted to the administrators group and what are given to the system account. On top of that, you have the permissions on specific resources that may be different. A properly hardened Windows box will have tighter rights-assignments and resource permissions (think registry keys and file permissions).
By default though, the Administrators group have more total rights granted than the system account itself. Run secpol.msc -> local policies -> user rights assignment and have a look if you don't believe me.
I hate product that include a local copy of Mozilla. You can't update it, and it's not easy to find or realize that it's even there. Same thing with using Apache just to display a gui.
If a vulnerability isn't found, that what's the problem? By that notion, both browsers have undiscovered issues. I do wonder if they were double or triple counting Firefox vulnerabilities as it is supported on more platforms.
Another, probably more reliable source would be secunia.com. Counting Firefox 3.0.x and 3.5.x, there were a total 18 issues in 2009 (13 and 5 respectively). Counting IE6, IE7, and IE8 there is a total of 18 vulnerabilities (6,6, and 4 respectively). Looks like pretty comparable numbers and severity to me.
...clonezilla can do all of that too. did you even check the site? and might I mention that clonezilla's free as in speech, and not super-expensive like Acronis.
No it can't. You can't run Clonezilla from within Windows to do a hot-backup. Clonezilla live requires booting from the CD and taking the system down. This isn't an option where the system must stay up 24/7 and you want seamless automatic backups. If I'm mistaken, please show me on their site where it claims this capability (I looked).
Last time I used Clonezilla, it had no clue about NTFS and simply used dd to copy any partitions it didn't understand. That also had the limitation that it could not resize the partition during restore. Their website implies it knows about NTFS now, but it's not clear if it can resize while restoring now.
Clonezilla also used dump and restore to backup ext volumes which can cause corrupted files in your backup if you use it on an active partition as files can change mid-copy. Even Linus says dump/restore is deprecated http://dump.sourceforge.net/isdumpdeprecated.html.
For workstation use, Acronis is pretty cheap if you look for their sales. I paid $11 for Acronis Home not too long ago. The server version is pretty expensive though.
A fast update cycle means shorter support times for specific versions. How surprising.
No argument there. FC seems to be gung-ho about charging forward on major versions, swapping out major subsystem packages, and barely getting one version stable before upgrading. I only use it on some workstations because its free or I need the latest bleeding edge hardware support. For critical systems that need more stability and version control, I use RHEL which requires a support contract.
I thought about switching to CentOS or Whitebox, but they are perpetually one step behind RedHat. Plus I feel like they are leeching off of RedHat's work product and drawing money away from a company that is heavily investing in Linux development.
Acrons TruImage is an imaging program, and it can backup individual (or sets) of files. The imaging can be done as the full volume or incremental backups as well. Backups can go to a network or usb drive share. Bare-metal recovery is accomplished by booting with the rescue CD and restoring the image. I can restore a server system volume in under 15 minutes.
I really like Acronis, particularly since it can do the imaging without having to take the system down like Norton Ghost. I haven't used the file backup feature that much.
For my work servers, I have scheduled Acronis backups over the network of the system partition and BackupExec to tape handling the backups of the data volumes. The Acronis gives me fast bare-metal recovery of the system, plus the backupexec handles versioning and long term data backups. I've even remotely recovered a system using the RAC card in a dell server to boot to a local copy of the recovery disk iso and restore the image across the wan link - that slow but beat the hell out of flying 2000 miles to fix it.
At home, I just have my systems doing Acronis backups over the network to each other. If one dies, I recover using the image saved on the other.
Open problem I've had with Linux is that you must keep upgrading or risk getting too far behind. For example, Fedora only really supports upgrading from the immediately preceding version. Try upgrading FC6 to FC11 and you'll see what I mean. Stuff like syslogging stops working until you figure out what packages the installer screwed up. Support for anything more than a year old is non-existent in the constant drive to push versions forward, For distributions with a fast update cycle, that means you're forced to update as often as every 4 months. A real pain if you have unusual hardware that isn't natively supported in the kernel.
One step ahead of you - I have two separate volumes running RAID1 and RAID5 so I am set for backups.;-)
Repeat after me - "RAID does not protect against anything but hardware failure". It does not protect against users accidentally deleting files, files getting corrupted, or the OS having issues. To actually recover from any of those things, you need a usable BACKUP. It needs to be a cold-metal type of backup that you can easily restore from ground-zero. Something like Acronis TrueImage or Ghost of the system drive and whatever backup you prefer for the data volumes. Keep the back files for a long time, otherwise I guarantee you'll have a file that got deleted last year and no-one noticed.
In which case the US would have been the first to put something like this on paper. I believe a crude version was also built as a long range missle and fired back in the 60's.
The problem with that Wikipedia article is that a nuclear reactor usually means a fission reactor, and not nuclear batteries which are rather common in satellites.
Removing the oxygen won't do the trick. IIRC, lithium will happily react with, for example, co2, halon or nitrogen.
When heated excessively, the electrolyte or cathode material used in many lithium batteries gives off oxygen. Seems stupid, eh? A runaway thermal problem caused by a minor short circuit literally adds oxygen to the fire.
I doubt it's an issue with burning an ISO. If you can't figure that out, then probably wouldn't be trying to use Linux. They are most handy for those with crappy internet connections that don't want to tie up the phone for 3 days trying to download it. Of course if you're in that boat, you probably can't keep up with the windows or linux updates either.
It's the guys who like to have an official copy in their hand, that could download it who were perhaps abusing the system.
Any user who actually knows how to modify the policies (as opposed to simply disabling) is not likely to fall for the dancing bunnies scheme. Modifying or writing selinux policies is far from intuitive or easy for the average luser to accomplish.
AT that point, you could just buy a netbook. I think Amazon finally understands this and is offering a software solution to run on the PC. Perhaps they will eventually get out of the hardware end of this.
Just having SELinux install and enforcing is useless, unless someone has gone through and written proper policies that define the mandatory-access-control limitations. Policies have been written for many service such as Apache, but there is still a dearth of appropriate policies for user apps.
Slashdot Mirror
But please read the rest of the post.
"As a default, it doesn't".
If I manage 10 computers and need to install new software for everyone, I'll bop on down to their desks and install it at night, no biggie. I neither want nor need this turned on.
If I manage 10,000 computers, I'm never going to have the staff to do that. So I'm going to set up an internal repository and make approved applications available on it. Then my Linux image could have this feature turned on, along with a customized list of "approved signing authorities" which would be MY repository server (or servers - I might have one repo for finance apps and another for all users, for example).
If the company approves an application, I put it on the internal repo and tell users it's available if they want/need it.
And if an individual user needs something special, I can still use root to install it for them.
You're doing it wrong if you have to visit their desks in the first place. If you manage 10,000 linux computers you're going to have centralized management of some sort setup already. In the larger centrally managed linux setups I've seen, it's always a custom setup that no one outside of a couple of admins knows how to run - compared to Windows and ActiveDirectory which just about any MS admin can walk in and manage. But that's another gripe I have about Linux.
You missed the point. The Firefox developers all sang in unison that the memory leaks and instability were the result of plug-ins and publicly refused to admit that Firefox had issues, despite the fact that people were posting bugzilla examples of the problems with no plugins installed. Sometimes it was a corrupt profile issue or something gone awry with an upgrade in which case a total nuke and reinstall usually fixed it.
It'd also be nice if verified plug-ins were signed by Mozilla, so the user knew they were safe. Perhaps make use of some of that peer-review that all the OSS folks claim is constantly happening? If it looks kosher, bless it with a digital signature like Microsoft does? Firefox has become a victim of lots of crappy add-ons. Keeping a list of unsafe add-ons would also be helpful (again list MS does).
From a user perspective, this sounds like a good move. Stability problems in Firefox always seems to stem from add-ons or extensions. Lock that crap down, and make the devs code the right way.
Correction - stability problems in Firefox have always been blamed on add-ons or extensions. Of course the developers always became deaf when people having issues with no plug-ins installed.
It's a whole different ballgame if they are using vlans to isolate the control network. Then a hacker just has to penetrate a router or take advantage of poor vlan isolation in some switches. Plus, you're bound to have at least a few employees who just have to have their machine connected to both networks at the same time and think using two network cards is safe.
So when you blind-test your friends they can't tell or even prefer the mp3. Did you blind-test yourself as well? I bet your results are no different than your friends.
...and sudoers under Linux have the privileges of the root account.
One nitpick here. Sudo allows a permitted user to execute a command as the superuser or another user, as specified in the sudoers file. With a properly written /etc/sudoers file, the users are allowed to run specific commands as root. It doesn't given them cart blanche to run any command as root unless they are granted permissions to run either all or a shell.
fluffy99 is right in my experience. There was stuff I couldn't do as an admin group member, when I was programming on Windows server, that I could do as the SYSTEM ACCOUNT. So sometimes when I needed to test a hook on something I would schedule "CMD.exe" to run in the scheduling system and enable interact w/deskop for the job.
Yup, I'm quite familiar with that trick. In particular it was very handy for running regedit and getting to keys under security that only the system account had access to. Nowadays I just use runas to start a cmd prompt with my admin account as needed.
Later on with XP, Microsoft got a bit smarter and created variants of the system account like network_service, local_service, as well as the usual system to help limit the damage that services could do (previously they all either ran as a local user or system). Again a properly hardened system shouldn't be running potentially vulnerable services under an excessively privileged account - under both Windows and Linux.
Counting the bugs is a poor way of determining vulnerabilities. It's not easy to search for vulnerabilities in the Firefox Bugzilla, btw. Unless you know some magic search terms?
Searching on CVE or vulnerability doesn't show you everything. Lots of potential issues get cleaned up along the way as part of other patches and normal development, and are never acknowledged as vulnerabilities. Same thing happens on the Microsoft side of the fence. If a vulnerability is known, it's documented in the KB that issued the patch.
If you want to count known vulnerabilities, just look at 3rd party sites that collect that info like Secunia or Cert.
Disparaging Microsoft because you think they are quietly finding their own bugs and fixing them is backwards. You should be glad they are.
To me a better comparison to make is how long critical vulnerabilities exist before they are patched. Microsoft obviously loses that comparison as they like to adhere to the monthly patch cycle and often delay action for privately reporting issues. Given how much IE is interlaced with other products, Microsoft also has to be more careful about patches than Mozilla Firefox which is much more of a standalone product.
That depends entirely on what rights are granted to the administrators group and what are given to the system account. On top of that, you have the permissions on specific resources that may be different. A properly hardened Windows box will have tighter rights-assignments and resource permissions (think registry keys and file permissions).
By default though, the Administrators group have more total rights granted than the system account itself. Run secpol.msc -> local policies -> user rights assignment and have a look if you don't believe me.
Yes, and you're claiming Mozilla doesn't roll up Firefox patches?
I hate product that include a local copy of Mozilla. You can't update it, and it's not easy to find or realize that it's even there. Same thing with using Apache just to display a gui.
If a vulnerability isn't found, that what's the problem? By that notion, both browsers have undiscovered issues. I do wonder if they were double or triple counting Firefox vulnerabilities as it is supported on more platforms.
Another, probably more reliable source would be secunia.com. Counting Firefox 3.0.x and 3.5.x, there were a total 18 issues in 2009 (13 and 5 respectively). Counting IE6, IE7, and IE8 there is a total of 18 vulnerabilities (6,6, and 4 respectively). Looks like pretty comparable numbers and severity to me.
...clonezilla can do all of that too. did you even check the site? and might I mention that clonezilla's free as in speech, and not super-expensive like Acronis.
No it can't. You can't run Clonezilla from within Windows to do a hot-backup. Clonezilla live requires booting from the CD and taking the system down. This isn't an option where the system must stay up 24/7 and you want seamless automatic backups. If I'm mistaken, please show me on their site where it claims this capability (I looked).
Last time I used Clonezilla, it had no clue about NTFS and simply used dd to copy any partitions it didn't understand. That also had the limitation that it could not resize the partition during restore. Their website implies it knows about NTFS now, but it's not clear if it can resize while restoring now.
Clonezilla also used dump and restore to backup ext volumes which can cause corrupted files in your backup if you use it on an active partition as files can change mid-copy. Even Linus says dump/restore is deprecated http://dump.sourceforge.net/isdumpdeprecated.html.
For workstation use, Acronis is pretty cheap if you look for their sales. I paid $11 for Acronis Home not too long ago. The server version is pretty expensive though.
Besides, who said speech was free?
A fast update cycle means shorter support times for specific versions. How surprising.
No argument there. FC seems to be gung-ho about charging forward on major versions, swapping out major subsystem packages, and barely getting one version stable before upgrading. I only use it on some workstations because its free or I need the latest bleeding edge hardware support. For critical systems that need more stability and version control, I use RHEL which requires a support contract.
I thought about switching to CentOS or Whitebox, but they are perpetually one step behind RedHat. Plus I feel like they are leeching off of RedHat's work product and drawing money away from a company that is heavily investing in Linux development.
Acrons TruImage is an imaging program, and it can backup individual (or sets) of files. The imaging can be done as the full volume or incremental backups as well. Backups can go to a network or usb drive share. Bare-metal recovery is accomplished by booting with the rescue CD and restoring the image. I can restore a server system volume in under 15 minutes.
I really like Acronis, particularly since it can do the imaging without having to take the system down like Norton Ghost. I haven't used the file backup feature that much.
For my work servers, I have scheduled Acronis backups over the network of the system partition and BackupExec to tape handling the backups of the data volumes. The Acronis gives me fast bare-metal recovery of the system, plus the backupexec handles versioning and long term data backups. I've even remotely recovered a system using the RAC card in a dell server to boot to a local copy of the recovery disk iso and restore the image across the wan link - that slow but beat the hell out of flying 2000 miles to fix it.
At home, I just have my systems doing Acronis backups over the network to each other. If one dies, I recover using the image saved on the other.
Open problem I've had with Linux is that you must keep upgrading or risk getting too far behind. For example, Fedora only really supports upgrading from the immediately preceding version. Try upgrading FC6 to FC11 and you'll see what I mean. Stuff like syslogging stops working until you figure out what packages the installer screwed up. Support for anything more than a year old is non-existent in the constant drive to push versions forward, For distributions with a fast update cycle, that means you're forced to update as often as every 4 months. A real pain if you have unusual hardware that isn't natively supported in the kernel.
One step ahead of you - I have two separate volumes running RAID1 and RAID5 so I am set for backups. ;-)
Repeat after me - "RAID does not protect against anything but hardware failure". It does not protect against users accidentally deleting files, files getting corrupted, or the OS having issues. To actually recover from any of those things, you need a usable BACKUP. It needs to be a cold-metal type of backup that you can easily restore from ground-zero. Something like Acronis TrueImage or Ghost of the system drive and whatever backup you prefer for the data volumes. Keep the back files for a long time, otherwise I guarantee you'll have a file that got deleted last year and no-one noticed.
In which case the US would have been the first to put something like this on paper. I believe a crude version was also built as a long range missle and fired back in the 60's.
The problem with that Wikipedia article is that a nuclear reactor usually means a fission reactor, and not nuclear batteries which are rather common in satellites.
Removing the oxygen won't do the trick. IIRC, lithium will happily react with, for example, co2, halon or nitrogen.
When heated excessively, the electrolyte or cathode material used in many lithium batteries gives off oxygen. Seems stupid, eh? A runaway thermal problem caused by a minor short circuit literally adds oxygen to the fire.
I doubt it's an issue with burning an ISO. If you can't figure that out, then probably wouldn't be trying to use Linux. They are most handy for those with crappy internet connections that don't want to tie up the phone for 3 days trying to download it. Of course if you're in that boat, you probably can't keep up with the windows or linux updates either.
It's the guys who like to have an official copy in their hand, that could download it who were perhaps abusing the system.
User: *modifies policies*
Any user who actually knows how to modify the policies (as opposed to simply disabling) is not likely to fall for the dancing bunnies scheme. Modifying or writing selinux policies is far from intuitive or easy for the average luser to accomplish.
AT that point, you could just buy a netbook. I think Amazon finally understands this and is offering a software solution to run on the PC. Perhaps they will eventually get out of the hardware end of this.
Just having SELinux install and enforcing is useless, unless someone has gone through and written proper policies that define the mandatory-access-control limitations. Policies have been written for many service such as Apache, but there is still a dearth of appropriate policies for user apps.