It seems like this is an extremely important piece of work for a Linux company to get for two reasons:
But the city representatives know this, too, and I'm sure they are trying to exploit it to some degree. At least I hope so, they owe it to us taxpayers.
Sounds like a good opportunity to look into why and exactly what isn't going too well, so it can be fixed.
They are still preparing the invitation to bid. It seems that Red Hat, SuSE, IBM and all the usual suspects want to see too much money, more than initially expected. There isn't much you can do about it. Even bidding yourself wouldn't help because you wouldn't be able to compete against these brands, even if your bid were much lower.
"A previously unknown vulnerability in Microsoft's Web software allowed an online attacker to take control of a publicly accessible U.S. Department of Defense server last week, the military confirmed late Tuesday."
http://news.com.com/2100-1009-993276.html
(This has been confirmed over more or less independent channels. Nobody was truly independent because of the pending war on Iraq, of course.)
And, as you all know, several holes in Internet Explorer exist which are being exploited actively.
All in all it seems like a pretty stupid decision by the Court.
I don't think so. "Mandrake" is not a French word, so you shouldn't look up its meaning in an English dictionary. And a name of a plant is not a descriptive term in the field of computer software (it's not as questionable as trade-marking "Windows" for a windowing system in the US), so a trademark isn't completely crazy.
So the typical causes of stupid trademarks don't apply here, and we'd have to look at the details of the ruling to see if it's sane or not. Maybe "Mandrake" is a commonly recognized trademark in France? Maybe the trademark holder even sells software (games perhaps)?
Sun are taking all the risks, by investing so much time and effort in Linux development.
Larry McVoy recognized the GNU/Linux model as a lifesaver for UNIX back in 1993, when he still was on Sun's payroll. The company executives ignored him. Apparently, not much has changed during the last ten years in the mindset of those people, even though the future of the company is at stake.
Most people I know associate "IBM IDE drive problems" with "DTLA". Is the GXP series the same as the DTLA series, or did IBM have two different IDE disk product lines which suffered from severe quality problems?
WebObjects is a huge Java system for developing server applications, used in many places including the Apple store online.
There is widely-used software written in Java, but it seems to fall mainly in three categories: server-side components for the creation of web services, and development tools (often related to the first category), and the software created using the first two.
These are of course significant, but I wouldn't call them "apps". "Apps" are word processors, mail clients, web browsers, file-sharing software, etc.; in short: client stuff.
Then you'll just get people switching to a different JVM. Sun's isn't the only one, and if they try to screw people over, people will go to the competition.
Only if Sun's acts are too painful. Look at Microsoft: almost everyone is complaining loudly about Software Assurance, and yet most companies still run Microsoft software (even in areas where switching wouldn't be a long-term project).
The thing is, because Java is free, that's why there are so many apps that run on it.
What apps? Please name a significant one. I don't run Java applications (except Eclipse, for Java code review 8-) and don't feel that I'm missing something.
At least in the environments I'm aware of, Java is solely used on the server side to implement business logic. No GUIs at all, no "apps".
That is, sell the compiler(and possibly an Enterprise version of the virtual machine), but allow others to develop compilers of thier own for free. With any luck, it might just sell Java to those who would buy it and get support and keep Java free for those who don't want/need support.
I don't think this is sufficient. Sun should force everyone who runs its JVM to pay a license fee (much like Microsoft does with Windows now, after tolerating years of illegal copying).
If you are a GNU/Linux distributor, you cannot sell (or even give away) CDs with Sun's Java implementation because the license forbids that. It's either GNU GCC or Sun Java, and guess what's more important...
I like the fact that there is only one "branch" of java.
There's also one branch of Microsoft Windows, too, and some people are unhappy with that. They keep calling it a "monopoly" and claim that it's something very bad.
Change the license terms and withdraw all support for older versions, thus forcing everyone to upgrade and pay the bucks?
There's quite a bit of business-critical software running on Java now, and the alternative Java implementations often can't run them. Worst of all, you'd probably lose certifcation and support from other vendors if you don't run the official Sun Java version.
Java could become the cash cow for Sun, they just have to stop the half-baked attempts to milk it (by selling tools nobody needs or tools which compete with significantly better free software alternatives) and go for the real money.
Would the current Java users keep using Sun Java? It depends, but if the introductory pricing is not too extreme, there's hardly any incentive for porting (or investing in non-Sun Java technology). Sun could raise the costs over the years. But maybe it's too late for that, and there isn't so much time left for the company.
I know very little about it, but I looked up DSA-394 and links therein, and it seems it was just a DoS in the worst case on Debian,
There was a double free() bug; such bugs have previously resulted in remote code execute on GNU/Linux systems.
but it contains "Assigned (20030714)". Does that mean it was known on 14. july? In that case, it too three months?
I suppose you are referring to the CVE candidate name assignment. If you regularly coordinate vulnerability resolution, you can get blocks of these numbers which you can use early in the process, to make sure that all vendors use the same CVE candidate in their advisories. (This is from memory, please ask MITRE if you want to know the exact details.)
The bottom line is that you can't tell from the information in the CVE database when an undisclosed vulnerability was known to the vendor.
So, you're happy that eeye - a company you don't have any relationship with - has had access to your computer for the last six months?
Well, it's your fault that you don't have a relationship with eEye. They certainly offer to change that if you carefully read the press release:
Retina(R) Network Security Scanner customers are already protected against this vulnerability.
Vulnerability "research" doesn't protect you. Its primary purpose is to generate a revenue stream for companies like eEye. (Have a look at Eric Rescorla's upcoming USENIX paper if you doubt that.) You are expected to buy virus scanners, intrusion dection systems, and network vulnerability scanners to contain the effect of their discoveries, from the very same companies.
In meatspace, that's called "extortion".
Just keep in mind: Yesterday, we called them "crews", today the media calls them "researchers".
Name me an instance where "really doing due dilligence" vis-a-vis security is an option, like this guy makes it sound.
Of course it is. For most people, it's more important that their infrastructure works at all than it's working in a secure way.
If you had the choice between (a) a fix for a problem that results in file corruption on one of your file servers multiple times per day, resulting in dozens of support calls per week, and (b) a fix for some obscure vulnerability that has been in Windows for years, without causing you any trouble--which option would you choose? Which choice could you explain to management?
Didn't openssl have a very similar bug that was disclosed & fixed just about 6 months ago?
According to the reports I've read, the bugs aren't very similar.
In both cases, the devastating results of the PROTOS SNMP test suite (which also incorporated ASN.1 tests) very likely provided the necessary incentive to look at ASN.1 parsers, but I doubt that the research or the actual code are related in any other way (as some have claimed).
However, the impact of those bug is comparable (at least on GNU/Linux systems), and it's a nice that the free software community was able to provide a patch in a more reasonable timeframe. (The source code patch doesn't fix embedded systems with OpenSSL, of course, but that's another story.)
I would like to get my hands on one of these if it does not include all the applications i dont need - windows messenger , internet explorer, Outlook express. Just the basic UI.
I'm sure the UI will be Thai-only, as some sort of copy prevention scheme. If not, everyone would buy their Windows copies in Thailand, right?
hard tokens and digital certificates...why would you allow ANYONE you do not EXPLICITLY know to setup a remote external connection ?
It's a chicken-and-egg problem. To identify someone remotely, you need some kind of information exchange, which, by definition, has to be initiated by a yet unidentified party.
This is a real problem. I don't know any fully trustworthy X.509 implementation, for example. That's why I think the first hurdle shouldn't involve cryptography (at least not asymmetric cryptography 8-).
It's not even sniffing. Payload doesn't show up in log, usually, but L4 information like this certainly does.
Actually, I think the basic idea is sound. If you have to run a private, critical and complex service over the public Internet (access to a SSH server or to your VPN gateway, for example), and you add very simple access control, you won't be among the very first victims once a new vulnerability is exploited. As a result, you probably have enough time to disable or patch the service.
And by the way, controlling access by source IP address is sufficient for that (but not always possible, unfortunately).
Many X implementations are proprietary (although they stem from the MIT code base). There has never been a problem linkingGNU software with these libraries. They are part of the operating system, and there's a special exception in the GPL for such libraries.
Um, wouldn't all contributors have to actively agree with a license change which affects their contributions, i.e. code they are the copyright owner of?
The previous license explicitly allowed sublicensing, and the XFree86 Project is doing exactly that.
Slashdot Mirror
It seems like this is an extremely important piece of work for a Linux company to get for two reasons:
But the city representatives know this, too, and I'm sure they are trying to exploit it to some degree. At least I hope so, they owe it to us taxpayers.
Sounds like a good opportunity to look into why and exactly what isn't going too well, so it can be fixed.
They are still preparing the invitation to bid. It seems that Red Hat, SuSE, IBM and all the usual suspects want to see too much money, more than initially expected. There isn't much you can do about it. Even bidding yourself wouldn't help because you wouldn't be able to compete against these brands, even if your bid were much lower.
"A previously unknown vulnerability in Microsoft's Web software allowed an online attacker to take control of a publicly accessible U.S. Department of Defense server last week, the military confirmed late Tuesday."
http://news.com.com/2100-1009-993276.html
(This has been confirmed over more or less independent channels. Nobody was truly independent because of the pending war on Iraq, of course.)
And, as you all know, several holes in Internet Explorer exist which are being exploited actively.
All in all it seems like a pretty stupid decision by the Court.
I don't think so. "Mandrake" is not a French word, so you shouldn't look up its meaning in an English dictionary. And a name of a plant is not a descriptive term in the field of computer software (it's not as questionable as trade-marking "Windows" for a windowing system in the US), so a trademark isn't completely crazy.
So the typical causes of stupid trademarks don't apply here, and we'd have to look at the details of the ruling to see if it's sane or not. Maybe "Mandrake" is a commonly recognized trademark in France? Maybe the trademark holder even sells software (games perhaps)?
Sun are taking all the risks, by investing so much time and effort in Linux development.
Larry McVoy recognized the GNU/Linux model as a lifesaver for UNIX back in 1993, when he still was on Sun's payroll. The company executives ignored him. Apparently, not much has changed during the last ten years in the mindset of those people, even though the future of the company is at stake.
I moved from Java to Mono/c# recently and I don't think I'll be going back.
If you are able to move this quickly from Java to C#, I don't think you are aren't in Sun's target group anyway (not enough KSLOCS).
Most people I know associate "IBM IDE drive problems" with "DTLA". Is the GXP series the same as the DTLA series, or did IBM have two different IDE disk product lines which suffered from severe quality problems?
OpenOffice?
The core components of OpenOffice are written in C++ (with German comments 8-).
WebObjects is a huge Java system for developing server applications, used in many places including the Apple store online.
There is widely-used software written in Java, but it seems to fall mainly in three categories: server-side components for the creation of web services, and development tools (often related to the first category), and the software created using the first two.
These are of course significant, but I wouldn't call them "apps". "Apps" are word processors, mail clients, web browsers, file-sharing software, etc.; in short: client stuff.
Then you'll just get people switching to a different JVM. Sun's isn't the only one, and if they try to screw people over, people will go to the competition.
Only if Sun's acts are too painful. Look at Microsoft: almost everyone is complaining loudly about Software Assurance, and yet most companies still run Microsoft software (even in areas where switching wouldn't be a long-term project).
The thing is, because Java is free, that's why there are so many apps that run on it.
What apps? Please name a significant one. I don't run Java applications (except Eclipse, for Java code review 8-) and don't feel that I'm missing something.
At least in the environments I'm aware of, Java is solely used on the server side to implement business logic. No GUIs at all, no "apps".
That is, sell the compiler(and possibly an Enterprise version of the virtual machine), but allow others to develop compilers of thier own for free. With any luck, it might just sell Java to those who would buy it and get support and keep Java free for those who don't want/need support.
I don't think this is sufficient. Sun should force everyone who runs its JVM to pay a license fee (much like Microsoft does with Windows now, after tolerating years of illegal copying).
What is it that is being ask of Sun here?
Read the letter.
If you are a GNU/Linux distributor, you cannot sell (or even give away) CDs with Sun's Java implementation because the license forbids that. It's either GNU GCC or Sun Java, and guess what's more important...
I like the fact that there is only one "branch" of java.
There's also one branch of Microsoft Windows, too, and some people are unhappy with that. They keep calling it a "monopoly" and claim that it's something very bad.
As long as awt and swing are missing, gcj's is still in diapers.
AWT and Swing can hardly be considered widely-used components of Sun's Java environment. Java's strengths lie elsewhere.
(SWT has been ported to GCJ, by the way.)
How do you expect them to cash in on Java?
Change the license terms and withdraw all support for older versions, thus forcing everyone to upgrade and pay the bucks?
There's quite a bit of business-critical software running on Java now, and the alternative Java implementations often can't run them. Worst of all, you'd probably lose certifcation and support from other vendors if you don't run the official Sun Java version.
Java could become the cash cow for Sun, they just have to stop the half-baked attempts to milk it (by selling tools nobody needs or tools which compete with significantly better free software alternatives) and go for the real money.
Would the current Java users keep using Sun Java? It depends, but if the introductory pricing is not too extreme, there's hardly any incentive for porting (or investing in non-Sun Java technology). Sun could raise the costs over the years. But maybe it's too late for that, and there isn't so much time left for the company.
I know very little about it, but I looked up DSA-394 and links therein, and it seems it was just a DoS in the worst case on Debian,
There was a double free() bug; such bugs have previously resulted in remote code execute on GNU/Linux systems.
but it contains "Assigned (20030714)". Does that mean it was known on 14. july? In that case, it too three months?
I suppose you are referring to the CVE candidate name assignment. If you regularly coordinate vulnerability resolution, you can get blocks of these numbers which you can use early in the process, to make sure that all vendors use the same CVE candidate in their advisories. (This is from memory, please ask MITRE if you want to know the exact details.)
The bottom line is that you can't tell from the information in the CVE database when an undisclosed vulnerability was known to the vendor.
So, you're happy that eeye - a company you don't have any relationship with - has had access to your computer for the last six months?
Well, it's your fault that you don't have a relationship with eEye. They certainly offer to change that if you carefully read the press release:
Retina(R) Network Security Scanner customers are already protected against this vulnerability.
Vulnerability "research" doesn't protect you. Its primary purpose is to generate a revenue stream for companies like eEye. (Have a look at Eric Rescorla's upcoming USENIX paper if you doubt that.) You are expected to buy virus scanners, intrusion dection systems, and network vulnerability scanners to contain the effect of their discoveries, from the very same companies.
In meatspace, that's called "extortion".
Just keep in mind: Yesterday, we called them "crews", today the media calls them "researchers".
Name me an instance where "really doing due dilligence" vis-a-vis security is an option, like this guy makes it sound.
Of course it is. For most people, it's more important that their infrastructure works at all than it's working in a secure way.
If you had the choice between (a) a fix for a problem that results in file corruption on one of your file servers multiple times per day, resulting in dozens of support calls per week, and (b) a fix for some obscure vulnerability that has been in Windows for years, without causing you any trouble--which option would you choose? Which choice could you explain to management?
Didn't openssl have a very similar bug that
was disclosed & fixed just about 6 months ago?
According to the reports I've read, the bugs aren't very similar.
In both cases, the devastating results of the PROTOS SNMP test suite (which also incorporated ASN.1 tests) very likely provided the necessary incentive to look at ASN.1 parsers, but I doubt that the research or the actual code are related in any other way (as some have claimed).
However, the impact of those bug is comparable (at least on GNU/Linux systems), and it's a nice that the free software community was able to provide a patch in a more reasonable timeframe. (The source code patch doesn't fix embedded systems with OpenSSL, of course, but that's another story.)
I would like to get my hands on one of these if it does not include all the applications i dont need - windows messenger , internet explorer, Outlook express. Just the basic UI.
I'm sure the UI will be Thai-only, as some sort of copy prevention scheme. If not, everyone would buy their Windows copies in Thailand, right?
hard tokens and digital certificates...why would you allow ANYONE you do not EXPLICITLY know to setup a remote external connection ?
It's a chicken-and-egg problem. To identify someone remotely, you need some kind of information exchange, which, by definition, has to be initiated by a yet unidentified party.
This is a real problem. I don't know any fully trustworthy X.509 implementation, for example. That's why I think the first hurdle shouldn't involve cryptography (at least not asymmetric cryptography 8-).
sniff the port knocks
It's not even sniffing. Payload doesn't show up in log, usually, but L4 information like this certainly does.
Actually, I think the basic idea is sound. If you have to run a private, critical and complex service over the public Internet (access to a SSH server or to your VPN gateway, for example), and you add very simple access control, you won't be among the very first victims once a new vulnerability is exploited. As a result, you probably have enough time to disable or patch the service.
And by the way, controlling access by source IP address is sufficient for that (but not always possible, unfortunately).
Many X implementations are proprietary (although they stem from the MIT code base). There has never been a problem linkingGNU software with these libraries. They are part of the operating system, and there's a special exception in the GPL for such libraries.
Um, wouldn't all contributors have to actively agree with a license change which affects their contributions, i.e. code they are the copyright owner of?
The previous license explicitly allowed sublicensing, and the XFree86 Project is doing exactly that.
Not to start a flamewar or anything, but what's wrong with Firebird now?
Last time I checked, it didn't support client certificates.