"an rfc is just a story that someone thought might not get laughed at too much."
While that's true, I found it amusing that nobody pointed out the the RFC till now. At the very least someone already took the time to write a document sensible enough so people won't laugh at it too much, so probably it makes sense to have a look at it.
"don't take them too seriously"
But at least take the time to see if it makes sense (this RFC *does* make sense from A to Z despite it being quite old).
"and then name your machines after their function."
That is directly agains the RFC. The RFC explains why you shouldn't do that you don't offer any reason for your strategy.
"You can always map multiple names to one machine, and then you can merge or split them later at will"
I have (and it's a common trend for all that I know) some machines that were on the "battlefront" on their glory days that are now on second rank tasks (some fileservers are now testing machines; or an old mailserver is now a secondary DNS...). Such an environment is trivially managed by the RFC procedure, both conceptually (torin used to be the mailserver and it's now a secondary DNS, just like John used to be an IT technicial but he is now his area's head) and technically (fileserver-01 CNAME used to point to feanor but now points to luthien while stage-04 now points to feanor). Is your approach better than that from the RFC? I don't think so.
Which function does which server is enterily an IT staff issue; we know about DNS and we care that torin went from front line to second rank. Everybody else don't care; we just don't expose server names (not that they are secret either) just as we don't expose the name of our functional employees; the one who cares will know them by name, the one who just need the function will name them after their function and that's all.
"Name the servers with logical names based on their function"
My internal primary DNS server is one of the three internal NTP server. What should I do?
My internal primary DB engine used to be a fileserver. Do I rename it (it's the same box, really)?
"There no reason to have names like FILESERVER-CHICAGO-02-2003RT when FILESERVER2 would suffice."
Yeah, that's so right! We had to fire Mary, our friendly recepcionist when we hired Mary a new accountant because we found so important to have a clear name policy. That was last year. We now go one step head. Our HR head managed to convince CxO that we really need to change our names to show our function, and I used to be turbidostato but now my name is BOFH.
Well, not really. It's about as stupid to name machines after their today's function as it is to choose people using that same criteria (What!!?? Archer is a marketing guy? that makes no sense!). We take either a numerical approach (most desktops are just desktop-NNNN) or a theme-based one (Tolkien's names) *and* liberal use of CNAMEs just as you do with people: Archer, aka south-west executive accountant is like frodo, aka mail. Or, using real examples, both CNAMEs ntp-02 and dns-01 point to melian; db-01 used to point to feanor but now points to tuor.
"But can you detect a Stradivarius without knowing it is one? And telling it apart from a Guarnerius or Amati? Or even a good quality modern instrument?"
Sure almost anyone would. Not to say you are not (partially) right, but not on this one. I never had the chance to listen to neither and Stradivarius nor a Guarneri but I had listened to a decent collection of violins of different qualities and ages and certainly the differences among them are conspicous and, in general, there will be a concordance among the audience about what ones sound better and "rounder" (and a clear difference between those that tend to prefer a more colourful sound and those that prefer "dark" instruments).
What I mean is that violins *do* sound different just as coke tastes different to pepsy. Maybe most people not used to coke drinks won't tell apart coke from pepsy but certainly they will tell appart the two brands if offered on a test. Since they both taste different, any trained people will pick apart Pepsy from Coke at the first slip. Please, pay attention that this has nothing to be with pepsy being better than coke or the other way around; they are just different.
So I think you might be right about Stradivarius not being the best over there, just the most famous, but you are wrong in that a trained ear won't be able to take apart Stradivarius from even a good quality XIX german violin or, at the very least, late XVII-early XVIII cremonensis violins from everything else.
Re:RAID5 is stupid, RAID 10 or no RAID
on
What NAS To Buy?
·
· Score: 1
"Only problem with a hot spare on RAID5 is that it assumes that the hot spare won't fail."
No. It only assumes that there's a decent chance for the disk not to fail between the time the first disk fail and the time it ends the rebuild process.
And then it assumes too that you are not stupidly using your RAID as a means to protect your data, that's what backups are for, but to rise its avaliability. In the slime chance of your second disk failing at the bad moment, well, you are unlucky and will have to restort to your backup. Certainly undesirable but not a terrific problem.
Re:RAID5 is stupid, RAID 10 or no RAID
on
What NAS To Buy?
·
· Score: 2, Insightful
"Personally, for a file server I wouldn't touch sata drives at all if I could help it. Ruddy unreliable pieces of metal. Sas is a much better option. Shame its so damn pricey"
I can say I use extensively both of them (well, not so extensively, in the dozens) and I can't see any significant differences in reliability (both are quite reliable and awesome per 5-10 years ago standards). SAS is so much fast on typical filesystem usage (not that surprising since I use 7500RMP big 500/750GB SATA against 10000RPM 75GB SAS) but not more reliable.
Of course there *is* a difference between disks -both SAS or SATA, within the server room and those -again, both SATA and SAS, out of the server room but, again, that's expected.
Re:RAID5 is stupid, RAID 10 or no RAID
on
What NAS To Buy?
·
· Score: 1
"What's the access pattern you're "testing" with ?"
Mainly short/medium files (2/20MB) rw not too many concurrent accesses (near-site on-line mass storage)
Well, the easy (and usually correct) answer is CTO really comes from a technical background where CIO holds a degree on poetry or something like this, so go figure.
The "proper" answer is that Information is not Technology as Astronomy is not Telescopes. While the CTO is aimed at the T of the equation and how "information T" can help to achieve the company strategic goals and even open new opportunities as Technology advances, CIO will focus on the I and its fluxes through and beyond the company, surely with the strong aid of "Information technologies" but not limited to them. As Arthur Jones states "all organizations are perfectly designed to get the results they get. To get better results, you need to improve the design of the organization"; it is CIO's job to understand the company and its surrounding environment as the complex system it is (and I'm meaning "complex system" on its scientific meaning so, basically an informational machine) and organize it for the better of the company and, in backwards, to "exploit" what currently the company is (with its strenghs and weakenesses) to its full capabilities.
It's unneeded to say how vague the previous definition for a CIO job statement is and so, how open to moronic/pointy-headed ideas both from the rest of CxO and the CIO himself. Nevertheless when a CIO is both capable for the job and allowed by the other CxO to do it, he can make a *hugh* difference for the company, only comparable to that of the CEO (with which overlaps not little in role).
Re:RAID10 is stupid, RAID0 or RAID5 or no RAID
on
What NAS To Buy?
·
· Score: 1
"Nightly backups, provide security for catastrophic failures."
Yeah, you brought a point I didn't even went into but you are absolutly right: RAID is NOT a means to make your data safer, only more avaliable and that's people usually forget. It is not a question about "would I go with RAID or with backups?" since they are quite different beasts. RAID (higher than 0, I mean) is for your data to be accesable 24x7, not to cover your ass in case things wreak havoc. That's what backups are for.
Re:RAID5 is stupid, RAID 10 or no RAID
on
What NAS To Buy?
·
· Score: 1
"Or use RAID6, giving you essentially the best of both worlds."
That's true, and when software RAID6 (or even hardware for that matter) gives reasonable speed (and I'm quite conservative about this speed) I'll certainly change my advise. From my tests RAID6 is sorrily sloooooooooowwwwww.
Re:RAID5 is stupid, RAID 10 or no RAID
on
What NAS To Buy?
·
· Score: 2, Informative
"I don't know why AC got modded troll..."
It is not good advice, it only seems to. Let's see the typical home-grown near-site server, say three 500GB SATA disks on RAID5 for 1TB usable space. Now, go with RAID 1+0; that means you need four disks (that's 33% more money) to gain about 0.025% reliablity (over a conservative stimate that you are at 99.9% no disk will fail in 3 years, but if one fails you are 10% sure another one will fail within next week -but you must consider that if the one that fails is one from the other stripeset... which means two out of three of the remaining disks, that means 7.5% sure you will lose your data).
Now: for the same dollars go with RAID5+Hot spare: you reduce your fail window to mere hours (the time to recronstruct) upraising your riability by at least a ten factor (you go from a one week fail window to about four hours). Once the RAID is reconstructed you are again 100% safe. If a second disk fails prior for you to get a new spare (say, within a week, you know, still the same 10% probability, only this time you won't loose data), then just stop the whole think, get new disks (from a different vendor/different model), mount the dirty RAID r-o and copy (disks are much less prone to fail if only reading than r-w). And money numbers get more favourable as you add disks, which is not true with 1+0.
So, you see, RAID5+hot spare is quite a better advice both money-savvy and regarding reliability. RAID1+0 is only advisable if you have money to spend and you need the extra speed.
"The point I was trying to make, and perhaps I did not make it as clearly as I could, is that you can have security vulnerabilities that are not defects."
I saw your point, but I think "the point" now is about the definition of vulnerability. You can go as theoretical as you want but, at the end of the day, more or less the same operational definition I gave for "defect" is just as valid for "vulnerability": if it works as expected, then it's not a vulnerability as it is not considered a vulnerability that your home front door cannot stand against a Tomahawk.
"When that trade off is accepting a vulnerability due to efficiency of the code or to save the time it would take to fix it, then it is clearly a defect"
You said at the top of your post that you agreed with me. Well, no: if you conciously and knowingly accept some vulnerability, my point is that it is *not* a defect. And my point now is that it probably isn't a vulnerability either: in your example, say, authenticating through non-cyphered HTTP (instead of HTTPS) conciously and knowing and accepting the trade-offs is certainly not a defect, nor I'd consider it a vulnerability.
Hey, that's *two* questions! But, hey, the answer is "yes".
"Please prove"
And now they make three (gruntle). OK: Michesol-Morley experiment. There, two measurements, different light paths, same measured speed. If that's not enough, you have Roemer's measurements too.
"Hey, but you haven't proved it on every case"
So you don't believe my statement to be true? Well, it passes "Pope's falsation test", so it's now your turn: show an experiment where light travels in vacuum at a different speed and I will eat my words.
"The core concept of evolution, as I understand it, is selection."
No, it isn't. Mutation is the core concept, not selection. You can have selection without evolution (ask any gardener) but as soon as you have mutation you have evolution.
Once you accept evolution, then you go about how this evolution happens, and that's the true realm of Darwin's theory among its competitors (other theories of evolution). Darwin states that there is *random* evolution and then selection of the fittest by means of their higher reproduction rate (thus, first somehow appears variation of the neck lenght of proto-giraffes, then those with the longest necks get selected). Lamarck states that there's environmental-pushed evolution and then selection of the fittest by means of their higher reproduction rates (thus, first the proto-giraffes force their necks their whole life in an attempt to get to acacia leaves, then such an effort is somehow inherited by their descendance). Wallace states that there are both random and externally-directed evolution and then selection of the fittest and/or those more aquitant to God's plan (a very interesting guy, Wallace. He was a strong darwinist till he "noted" that "simple" random evolution and selection wouldn't explain the abyssmal difference between "the average african nigger, just a step over the gorilla, and the finest parisian citizen" -not his literal words, but quite to the spirit, therefore there should be something more, which he thougth to be God wanting the "true" man to appear).
"People who don't believe in evolution, if they get infections, should only ever be provided sulfa drugs, or maybe penicillin, and not modern antibiotics."
Please don't oversimplify creationist arguments or else they'll get strong by your mistakes. Bacterial antibiotic resistance is not needingly related to evolution: it can be easily explained by population variance and creationists know that (maybe one bacteria out of a billion is already resistant to the antibiotic; by means of exposing the bacterial population to the antibiotic effects after a few generations all bacterias are resistant just because only those of the lineage of the original resistant happen to survive -see? no evolution required. That's in fact what happens most of the time).
"No we call it the LAWs of Gravity; because time study has show the gravity model to be sound"
Sorry sir, but no, sir.
We call it a law because it is... a law. It expresses with certainty*1 and precission an aspect of reality. Please note that Newton's LAW of gravity is included within the frame of Newton's THEORY of universal attraction.
As a general matter, formulaes that express some important concept, specially if they have a worded translation, are laws while the conceptual frame such formulaes are included in are theories.
*1 Within the context certainty means that given an input they offer a precise output, not two nor three, not that they are somehow true. In fact, we know for almost a century that Newton's laws are INCORRECT but still they are laws.
If problems on cars were defects in the eyes of USA law, they'd be considered a material defect or design defect under existing contract or product liability law respectively. There are a few possible outcomes from such a scenario A) Nobody builds cars anymore because they'd be sued into oblivion B) Car prices go up because builders & sellers have to buy car defect insurance C) Prices go up because companies spend more in labor to produce defect free cars D) The EULA lists every possible failure scenario (plausible or not) in the interests of full disclosure and business continues as usual
Well, I don't see car bussiness to be in bad shape lately.
"Was the lack of security and the potential vulnerabilities a defect or a design flaw for the small company?"
How can somebody twist a simple concept into such a contorted one?
Defect is nothing more and nothing less than something not working as expected. If something is there by a concious decision is a feature; if something is misdoing, it's a defect. It's as simple as that. Really.
Now, on defects: if something works as designed, but the designers didn't thought in advance of a given (misdoing) situation it's a design defect (in your example, if somebody misuse his admin rights and the boss feels it unacceptable *now*, that means that his security design was flawed. If he answers "well, these things happen, let's move on", then it's a feature). If something doesn't work as designed, and it's misdoing, it's an implementation defect. If something is working as designed and the designer doesn't feel some behaviour to be misdoing, then it's a systemic defect (either an unethical seller or an idiot/uniformed buyer).
"Seriously now, what's with all the hate at even the idea of a creator?"
That such a creator has the uncomfortable behaviour of not exposing His desires directly but through the aids of some chosen speakers which usually have a discourse too suspiciously similar to that expected from an all too human person, not a divinity, and that usually includes not only how the world became to be -usually in very suspiciously unobserved or directly against all evidence means, but a lot of behaviours for day-to-day observation including but not limited to, directly killing infidels.
Once you accept there is some kind of so High Being as God, all funny things can happen, since God's so High that His commands are not to be cuestioned no matter how stupid or immoral (to us, so lower creatures) they seem to be.
I hate the very idea of Somebody so High that it is above and beyond rational criticism, killing all hope of freedom for human race.
"While I agree it would be great to be able to impose similar work ethics and standards on other economies, it's something they need to work out for themselves in a manner that works to fit their economy."
Well, they can look for what fits to their economy all they want. But once they want to sell something on *my* markets then we are talking about *my* economy so there shouldn't be any problems to accept they must be playing by *my* rules... like "your goods shouldn't be produced by 12 hours-day workers". Please note I'm not trying to force them not to work 12 hours-a-day, after all, it's their economy and they know better what to do, I'm only stablishing conventions in order to go into *my* economy; they still can sell their good anywhere else (if accepted).
"So you really don't mind if I take everything classified "Top Secret" and hand it over to Osama, Iran and China, whichever you fear the most?"
Did I say that? No, I didn't. Not at all sir.
I did tell (you can look at it if you want to) that "it doesn't make sense to make information illegal to posess."
What you imply is a much different thing: in order for you to be able to take Top Secret information and "and it over to Osama, Iran and China, whichever you fear the most", you have to: a) Posses such information (which in itself it's ridiculous to be illegal since then, every agent with a Top Secret clearance that happens to posses such information should have to be a delincuent... like USA president, Mr George W. Bush). b) Decide to take such information and hand it over the Top Secret barrier which is, in itself, illegal and I never said it shouldn't be illegal to take Top Secret documents and break its Top Secret status, did I? c) Once that information's Top Secret status is broken, you should pass it to a declared USA enemy which, again, it's in itself illegal and I never said it shouldn't be illegal to pass information to declared USA enemies, did I?
"You don't think you have any right to privacy, sure the hacker that took over your machine did something illegal but that your whole life is now posted over the Internet is not?"
In order for such a thing to happen, quite more than one event must happen: a) In order to post that information to the Internet, such a hacker must posses such information (which in itself it's ridiculous to be illegal since then, I should have to be a delincuent since I posses such information too). b) Since he still doesn't posses that information, the hacker must previously hack my PC to get at it, which is in itself illegal, and I never said it shouldn't be illegal to hack third partie's PC in order to gain accesss to private information, did I? c) Once the hacker (illegally) take a hand onto my private information he must make it public into the Internet which, again, is illegal by itself, and I never said it shouldn't be illegal to make public information you don't have legal right to, did I?
"The world isn't so simple as "Sticks and stones may break my bones, but words can never hurt me"."
It isn't. That's why Justice always tended to make heavy difference between free speech and libel. Words *do* hurt. Cutting down freedom and free speech does hurt *even more*, though.
It's have been told so many times lately (post 11-S) that it starts to feel empty words, but it's still truest (emphasis mine) that "The man who trades freedom for security does not deserve *nor will he ever receive* either."
You are trying to trade freedom for security, please understand Franklin's words and know that, if anything, you *won't* gain more security but, still, your freedom and that of others that doesn't think like you will be lost -and lost for nothing.
"an rfc is just a story that someone thought might not get laughed at too much."
While that's true, I found it amusing that nobody pointed out the the RFC till now. At the very least someone already took the time to write a document sensible enough so people won't laugh at it too much, so probably it makes sense to have a look at it.
"don't take them too seriously"
But at least take the time to see if it makes sense (this RFC *does* make sense from A to Z despite it being quite old).
"and then name your machines after their function."
That is directly agains the RFC. The RFC explains why you shouldn't do that you don't offer any reason for your strategy.
"You can always map multiple names to one machine, and then you can merge or split them later at will"
I have (and it's a common trend for all that I know) some machines that were on the "battlefront" on their glory days that are now on second rank tasks (some fileservers are now testing machines; or an old mailserver is now a secondary DNS...). Such an environment is trivially managed by the RFC procedure, both conceptually (torin used to be the mailserver and it's now a secondary DNS, just like John used to be an IT technicial but he is now his area's head) and technically (fileserver-01 CNAME used to point to feanor but now points to luthien while stage-04 now points to feanor). Is your approach better than that from the RFC? I don't think so.
Which function does which server is enterily an IT staff issue; we know about DNS and we care that torin went from front line to second rank. Everybody else don't care; we just don't expose server names (not that they are secret either) just as we don't expose the name of our functional employees; the one who cares will know them by name, the one who just need the function will name them after their function and that's all.
"Name the servers with logical names based on their function"
My internal primary DNS server is one of the three internal NTP server. What should I do?
My internal primary DB engine used to be a fileserver. Do I rename it (it's the same box, really)?
"There no reason to have names like FILESERVER-CHICAGO-02-2003RT when FILESERVER2 would suffice."
Yeah, that's so right! We had to fire Mary, our friendly recepcionist when we hired Mary a new accountant because we found so important to have a clear name policy. That was last year. We now go one step head. Our HR head managed to convince CxO that we really need to change our names to show our function, and I used to be turbidostato but now my name is BOFH.
Well, not really. It's about as stupid to name machines after their today's function as it is to choose people using that same criteria (What!!?? Archer is a marketing guy? that makes no sense!). We take either a numerical approach (most desktops are just desktop-NNNN) or a theme-based one (Tolkien's names) *and* liberal use of CNAMEs just as you do with people: Archer, aka south-west executive accountant is like frodo, aka mail. Or, using real examples, both CNAMEs ntp-02 and dns-01 point to melian; db-01 used to point to feanor but now points to tuor.
"But can you detect a Stradivarius without knowing it is one? And telling it apart from a Guarnerius or Amati? Or even a good quality modern instrument?"
Sure almost anyone would. Not to say you are not (partially) right, but not on this one. I never had the chance to listen to neither and Stradivarius nor a Guarneri but I had listened to a decent collection of violins of different qualities and ages and certainly the differences among them are conspicous and, in general, there will be a concordance among the audience about what ones sound better and "rounder" (and a clear difference between those that tend to prefer a more colourful sound and those that prefer "dark" instruments).
What I mean is that violins *do* sound different just as coke tastes different to pepsy. Maybe most people not used to coke drinks won't tell apart coke from pepsy but certainly they will tell appart the two brands if offered on a test. Since they both taste different, any trained people will pick apart Pepsy from Coke at the first slip. Please, pay attention that this has nothing to be with pepsy being better than coke or the other way around; they are just different.
So I think you might be right about Stradivarius not being the best over there, just the most famous, but you are wrong in that a trained ear won't be able to take apart Stradivarius from even a good quality XIX german violin or, at the very least, late XVII-early XVIII cremonensis violins from everything else.
"Only problem with a hot spare on RAID5 is that it assumes that the hot spare won't fail."
No. It only assumes that there's a decent chance for the disk not to fail between the time the first disk fail and the time it ends the rebuild process.
And then it assumes too that you are not stupidly using your RAID as a means to protect your data, that's what backups are for, but to rise its avaliability. In the slime chance of your second disk failing at the bad moment, well, you are unlucky and will have to restort to your backup. Certainly undesirable but not a terrific problem.
"Personally, for a file server I wouldn't touch sata drives at all if I could help it. Ruddy unreliable pieces of metal. Sas is a much better option. Shame its so damn pricey"
I can say I use extensively both of them (well, not so extensively, in the dozens) and I can't see any significant differences in reliability (both are quite reliable and awesome per 5-10 years ago standards). SAS is so much fast on typical filesystem usage (not that surprising since I use 7500RMP big 500/750GB SATA against 10000RPM 75GB SAS) but not more reliable.
Of course there *is* a difference between disks -both SAS or SATA, within the server room and those -again, both SATA and SAS, out of the server room but, again, that's expected.
"What's the access pattern you're "testing" with ?"
Mainly short/medium files (2/20MB) rw not too many concurrent accesses (near-site on-line mass storage)
Well, the easy (and usually correct) answer is CTO really comes from a technical background where CIO holds a degree on poetry or something like this, so go figure.
The "proper" answer is that Information is not Technology as Astronomy is not Telescopes. While the CTO is aimed at the T of the equation and how "information T" can help to achieve the company strategic goals and even open new opportunities as Technology advances, CIO will focus on the I and its fluxes through and beyond the company, surely with the strong aid of "Information technologies" but not limited to them. As Arthur Jones states "all organizations are perfectly designed to get the results they get. To get better results, you need to improve the design of the organization"; it is CIO's job to understand the company and its surrounding environment as the complex system it is (and I'm meaning "complex system" on its scientific meaning so, basically an informational machine) and organize it for the better of the company and, in backwards, to "exploit" what currently the company is (with its strenghs and weakenesses) to its full capabilities.
It's unneeded to say how vague the previous definition for a CIO job statement is and so, how open to moronic/pointy-headed ideas both from the rest of CxO and the CIO himself. Nevertheless when a CIO is both capable for the job and allowed by the other CxO to do it, he can make a *hugh* difference for the company, only comparable to that of the CEO (with which overlaps not little in role).
"Nightly backups, provide security for catastrophic failures."
Yeah, you brought a point I didn't even went into but you are absolutly right: RAID is NOT a means to make your data safer, only more avaliable and that's people usually forget. It is not a question about "would I go with RAID or with backups?" since they are quite different beasts. RAID (higher than 0, I mean) is for your data to be accesable 24x7, not to cover your ass in case things wreak havoc. That's what backups are for.
"Or use RAID6, giving you essentially the best of both worlds."
That's true, and when software RAID6 (or even hardware for that matter) gives reasonable speed (and I'm quite conservative about this speed) I'll certainly change my advise. From my tests RAID6 is sorrily sloooooooooowwwwww.
"I don't know why AC got modded troll..."
It is not good advice, it only seems to. Let's see the typical home-grown near-site server, say three 500GB SATA disks on RAID5 for 1TB usable space. Now, go with RAID 1+0; that means you need four disks (that's 33% more money) to gain about 0.025% reliablity (over a conservative stimate that you are at 99.9% no disk will fail in 3 years, but if one fails you are 10% sure another one will fail within next week -but you must consider that if the one that fails is one from the other stripeset... which means two out of three of the remaining disks, that means 7.5% sure you will lose your data).
Now: for the same dollars go with RAID5+Hot spare: you reduce your fail window to mere hours (the time to recronstruct) upraising your riability by at least a ten factor (you go from a one week fail window to about four hours). Once the RAID is reconstructed you are again 100% safe. If a second disk fails prior for you to get a new spare (say, within a week, you know, still the same 10% probability, only this time you won't loose data), then just stop the whole think, get new disks (from a different vendor/different model), mount the dirty RAID r-o and copy (disks are much less prone to fail if only reading than r-w). And money numbers get more favourable as you add disks, which is not true with 1+0.
So, you see, RAID5+hot spare is quite a better advice both money-savvy and regarding reliability. RAID1+0 is only advisable if you have money to spend and you need the extra speed.
" they want to break free from the "evil West" (which they see as being ruled by the Pope and the Jews, no kidding!!)"
Ah, poor ignorants! Bush talks directly to God Himself, not with lower minions, no kidding.
" If it had been a gas-core nuclear rocket, we could put bases on the moon in a single shot."
Wouldn't that make it a home-run?
"The point I was trying to make, and perhaps I did not make it as clearly as I could, is that you can have security vulnerabilities that are not defects."
I saw your point, but I think "the point" now is about the definition of vulnerability. You can go as theoretical as you want but, at the end of the day, more or less the same operational definition I gave for "defect" is just as valid for "vulnerability": if it works as expected, then it's not a vulnerability as it is not considered a vulnerability that your home front door cannot stand against a Tomahawk.
"When that trade off is accepting a vulnerability due to efficiency of the code or to save the time it would take to fix it, then it is clearly a defect"
You said at the top of your post that you agreed with me. Well, no: if you conciously and knowingly accept some vulnerability, my point is that it is *not* a defect. And my point now is that it probably isn't a vulnerability either: in your example, say, authenticating through non-cyphered HTTP (instead of HTTPS) conciously and knowing and accepting the trade-offs is certainly not a defect, nor I'd consider it a vulnerability.
"What about customer satisfaction"
bollocks
"and the financial detriment of losing your customers"
Which part of "legally or financially forced" didn't you understand?
"Question, what's the speed of light in a vacuum"
About 300.000Km/s
"is it constant?"
Hey, that's *two* questions! But, hey, the answer is "yes".
"Please prove"
And now they make three (gruntle). OK: Michesol-Morley experiment. There, two measurements, different light paths, same measured speed. If that's not enough, you have Roemer's measurements too.
"Hey, but you haven't proved it on every case"
So you don't believe my statement to be true? Well, it passes "Pope's falsation test", so it's now your turn: show an experiment where light travels in vacuum at a different speed and I will eat my words.
"The core concept of evolution, as I understand it, is selection."
No, it isn't. Mutation is the core concept, not selection. You can have selection without evolution (ask any gardener) but as soon as you have mutation you have evolution.
Once you accept evolution, then you go about how this evolution happens, and that's the true realm of Darwin's theory among its competitors (other theories of evolution). Darwin states that there is *random* evolution and then selection of the fittest by means of their higher reproduction rate (thus, first somehow appears variation of the neck lenght of proto-giraffes, then those with the longest necks get selected). Lamarck states that there's environmental-pushed evolution and then selection of the fittest by means of their higher reproduction rates (thus, first the proto-giraffes force their necks their whole life in an attempt to get to acacia leaves, then such an effort is somehow inherited by their descendance). Wallace states that there are both random and externally-directed evolution and then selection of the fittest and/or those more aquitant to God's plan (a very interesting guy, Wallace. He was a strong darwinist till he "noted" that "simple" random evolution and selection wouldn't explain the abyssmal difference between "the average african nigger, just a step over the gorilla, and the finest parisian citizen" -not his literal words, but quite to the spirit, therefore there should be something more, which he thougth to be God wanting the "true" man to appear).
"People who don't believe in evolution, if they get infections, should only ever be provided sulfa drugs, or maybe penicillin, and not modern antibiotics."
Please don't oversimplify creationist arguments or else they'll get strong by your mistakes. Bacterial antibiotic resistance is not needingly related to evolution: it can be easily explained by population variance and creationists know that (maybe one bacteria out of a billion is already resistant to the antibiotic; by means of exposing the bacterial population to the antibiotic effects after a few generations all bacterias are resistant just because only those of the lineage of the original resistant happen to survive -see? no evolution required. That's in fact what happens most of the time).
"No we call it the LAWs of Gravity; because time study has show the gravity model to be sound"
Sorry sir, but no, sir.
We call it a law because it is... a law. It expresses with certainty*1 and precission an aspect of reality. Please note that Newton's LAW of gravity is included within the frame of Newton's THEORY of universal attraction.
As a general matter, formulaes that express some important concept, specially if they have a worded translation, are laws while the conceptual frame such formulaes are included in are theories.
*1 Within the context certainty means that given an input they offer a precise output, not two nor three, not that they are somehow true. In fact, we know for almost a century that Newton's laws are INCORRECT but still they are laws.
"when someone reports a vulnerability, consider it something that you're obligated to fix, not as a feature request."
Why any company in the world would do something like that!!!???
Oh, yes, only if they are legally or financially forced, that's how.
Or do you think any company in the world would rise their production costs for no benefit?
If problems on cars were defects in the eyes of USA law, they'd be considered a material defect or design defect under existing contract or product liability law respectively.
There are a few possible outcomes from such a scenario
A) Nobody builds cars anymore because they'd be sued into oblivion
B) Car prices go up because builders & sellers have to buy car defect insurance
C) Prices go up because companies spend more in labor to produce defect free cars
D) The EULA lists every possible failure scenario (plausible or not) in the interests of full disclosure and business continues as usual
Well, I don't see car bussiness to be in bad shape lately.
"Was the lack of security and the potential vulnerabilities a defect or a design flaw for the small company?"
How can somebody twist a simple concept into such a contorted one?
Defect is nothing more and nothing less than something not working as expected. If something is there by a concious decision is a feature; if something is misdoing, it's a defect. It's as simple as that. Really.
Now, on defects: if something works as designed, but the designers didn't thought in advance of a given (misdoing) situation it's a design defect (in your example, if somebody misuse his admin rights and the boss feels it unacceptable *now*, that means that his security design was flawed. If he answers "well, these things happen, let's move on", then it's a feature). If something doesn't work as designed, and it's misdoing, it's an implementation defect. If something is working as designed and the designer doesn't feel some behaviour to be misdoing, then it's a systemic defect (either an unethical seller or an idiot/uniformed buyer).
And that's all.
"Seriously now, what's with all the hate at even the idea of a creator?"
That such a creator has the uncomfortable behaviour of not exposing His desires directly but through the aids of some chosen speakers which usually have a discourse too suspiciously similar to that expected from an all too human person, not a divinity, and that usually includes not only how the world became to be -usually in very suspiciously unobserved or directly against all evidence means, but a lot of behaviours for day-to-day observation including but not limited to, directly killing infidels.
Once you accept there is some kind of so High Being as God, all funny things can happen, since God's so High that His commands are not to be cuestioned no matter how stupid or immoral (to us, so lower creatures) they seem to be.
I hate the very idea of Somebody so High that it is above and beyond rational criticism, killing all hope of freedom for human race.
"While I agree it would be great to be able to impose similar work ethics and standards on other economies, it's something they need to work out for themselves in a manner that works to fit their economy."
Well, they can look for what fits to their economy all they want. But once they want to sell something on *my* markets then we are talking about *my* economy so there shouldn't be any problems to accept they must be playing by *my* rules... like "your goods shouldn't be produced by 12 hours-day workers". Please note I'm not trying to force them not to work 12 hours-a-day, after all, it's their economy and they know better what to do, I'm only stablishing conventions in order to go into *my* economy; they still can sell their good anywhere else (if accepted).
"I can attest that even in our own field there is a flexibility to the terms "project manager" and "project". Consider it a holy war of sorts."
Of course that happens only when you use Vi. Try Emacs instead.
"So you really don't mind if I take everything classified "Top Secret" and hand it over to Osama, Iran and China, whichever you fear the most?"
Did I say that? No, I didn't. Not at all sir.
I did tell (you can look at it if you want to) that "it doesn't make sense to make information illegal to posess."
What you imply is a much different thing: in order for you to be able to take Top Secret information and "and it over to Osama, Iran and China, whichever you fear the most", you have to:
a) Posses such information (which in itself it's ridiculous to be illegal since then, every agent with a Top Secret clearance that happens to posses such information should have to be a delincuent... like USA president, Mr George W. Bush).
b) Decide to take such information and hand it over the Top Secret barrier which is, in itself, illegal and I never said it shouldn't be illegal to take Top Secret documents and break its Top Secret status, did I?
c) Once that information's Top Secret status is broken, you should pass it to a declared USA enemy which, again, it's in itself illegal and I never said it shouldn't be illegal to pass information to declared USA enemies, did I?
"You don't think you have any right to privacy, sure the hacker that took over your machine did something illegal but that your whole life is now posted over the Internet is not?"
In order for such a thing to happen, quite more than one event must happen:
a) In order to post that information to the Internet, such a hacker must posses such information (which in itself it's ridiculous to be illegal since then, I should have to be a delincuent since I posses such information too).
b) Since he still doesn't posses that information, the hacker must previously hack my PC to get at it, which is in itself illegal, and I never said it shouldn't be illegal to hack third partie's PC in order to gain accesss to private information, did I?
c) Once the hacker (illegally) take a hand onto my private information he must make it public into the Internet which, again, is illegal by itself, and I never said it shouldn't be illegal to make public information you don't have legal right to, did I?
"The world isn't so simple as "Sticks and stones may break my bones, but words can never hurt me"."
It isn't. That's why Justice always tended to make heavy difference between free speech and libel. Words *do* hurt. Cutting down freedom and free speech does hurt *even more*, though.
It's have been told so many times lately (post 11-S) that it starts to feel empty words, but it's still truest (emphasis mine) that "The man who trades freedom for security does not deserve *nor will he ever receive* either."
You are trying to trade freedom for security, please understand Franklin's words and know that, if anything, you *won't* gain more security but, still, your freedom and that of others that doesn't think like you will be lost -and lost for nothing.
" Because in some cases people might be unaware of what's happening on their computer, it doesn't make sense to make information illegal to posess?"
You told it: it doesn't make sense to make information illegal to posess. I thought that to be self-evident in "the land of the free".