I think it's important to remember that the vast majority of online linux boxes are going to be servers which are already locked down, being run by at least semi-competent admins and probably with almost all the ports blocked except 80, 443, 21, an SSH port, etc. Essentially, they have a very small surface area, and even if there was a zero day, it's very easy for you to say "ah, that's not Linux's fault, that's Apache's fault. Even running OpenBSD would not have saved them."
So it's very hard to compare "Windows" to "Linux", and even moreso when you compare surface area exposed by the average computer running either. That's not even taking into account the relative proportions.
Well then we'll have to agree to disagree. I think Vista was an important and painful step forward for security, and that Windows 7 is probably about as secure as Linux 2.6.x. (Nothing can stop a user from wanting to see the dancing bunnies, etc.)
In Linux for example, gksudo is not a secure way to enter your password, and neither is entering your password into a sudo prompt in a shell. In Windows, you'd need to have already exploited the computer in order to read a UAC prompt.
It's not about fixing 1000 issues, if you tackle security like that, you'll be fixing 1000 issues every month until the end of time. And your problem will grow as your company and the amount of code you write grows. So theoretically you could eventually break even, but the worst security issues will be the ones you don't know about, the ones you can't measure in your tickets closed per month metric. So what if you closed 1000 bug tickets in a month? Anyone can do that, how about you go an entire month without a single bug ticket?
That's where we come to a mythical man month problem. There's only so much money and people you can throw at security before you come up against the fundamental problem that security is a group effort, and is defined by a process that leads to fewer vulnerabilities, fewer bugs overall.
I don't mean to be an apologist for Microsoft, they've been atrocious on the past and perhaps they are merely mediocre now. But the fact remains that you can't simply throw money at fixing vulnerabilities and have them go away. It doesn't matter how good your "vulnerability-checkers" are if they can't keep up with the hundred times larger number of coders you have writing bad code on a daily basis.
tl;dr: you don't want people who can close bug tickets, you want to hire very smart, very disciplined people and empower them to create a process whereby bug tickets and vulnerability cases are never opened. This is ultimately a more difficult problem than simply throwing time and money at fixing bugs. Doubling your investment will not halve your vulnerabilities.
Where do you live that average "broadband" speeds exceed 1 megabit?
I live in Iowa, and regularly have to deal with people who can't reliably get even that.
Remember that statistics can be deceiving. The average wage in the US has risen for decades (recession years excluded, or better yet, just do a five year average) but no reasonable statistician graphs average wages, they're pointless. As wealth distribution in the US has become more and more skewed, the average wage has risen but the median wage... not so much. So the average in the US might be high, but if you're trying to measure where the average person sits in terms of bandwidth, you need to look for the median bandwidth in the US.
With most software licensing, what you're really paying for is whether or not they support your installation. Smaller number of seats, fewer computers, etc, is always cheaper, leads to fewer support calls, questions asked. On the other hand, large enough companies will have a dedicated IT team and help desk that will filter those out even more, so once you reach a certain volume the support calls start to go down again.
I think it would be interesting to see internal data from major software vendors showing number of licenses sold on the x axis, number of support calls per license sold per year on the y axis. It'd be a lot harder to measure forum or community participation but that would be interesting too. I would imagine community forum participation would fall to zero once the volume grew enough, because the company's internal team would resolve all those minor issues.
As long as you stick to a strict subset of SQL and don't get fancy, you mean. Otherwise you'll have to rewrite it for every database engine you want your code to run on.
Now, I'm not an expert on database use and don't want to come across as sarcastic, but it's my impression that a lot of the questions that are being asked of these new types of databases simply don't have past analogues, or if they did, they were solved with this sort of approach in an RBDMS, basically using an RBDMS but without the relational part. Hadoop, Google, and all these social networking sites surely aren't all just... confused? Are they?
Please elaborate on how an RBDMS is applicable to what I guess is now called "scaling horizontally", or perhaps more formally known as sharding, or partitioning with redundancy. It's my impression that most of the RBDMS products available today are simply atrocious at this, but if you can point out which books I need to look at, and which products have good support for this sort of scale, I'd love to learn.
If there was a serious open source competitor to Java/C#, I'd love to hear about it. But right now, there are only open source implementations of either.
The last thing you want is the computer to reset, that is, the one that's controlling the engine, brakes, and power steering along with traction control and other components.
I think the reason HDD speeds don't go that low is due to the necessary Bernoulli effect? I'm not a physicist / hard drive manufacturer though. There are a lot of "green" hard drives that vary between 5k and 7k though.
That's not the problem, the problem is a lot of the high end controllers have 8, 16, 24, etc SAS ports. If you were to plug SSDs into all of those ports, you'd swamp the card, whether you treat the disks as JBOD or let the controller handle it. And the storage vendors who make real nice SANs did the same thing. They have one controller managing dozens of HDDs because their performance is so abysmal.
This. I'm surprised no one has mentioned it. I don't think there's a RAID controller on the market that supports pass-through TRIM. Which is going to be one hell of a wakeup call when an admin finds the batch job took ten times longer than usual. I had this happen with an X25-M, I had stopped paying attention to the log file's end time for various steps, and one day I woke up to it running past 9AM (from the initial times of taking a mere ten minutes when starting at 5AM.)
I'll give you the second point, they don't make it particularly easy to get new CDs. I wish they did a better job of this, but I understand their rationale. With their IT personnel license, I have access to every version of Windows back to 3.0, and every version of XP ever made (every home and pro, N and Media Center and every service pack and language release.) But that's not going to help the average person either.
On the second point, even if they didn't charge anyone, they'd have to filter it heavily and that'd lead to antitrust issues I'm sure. They couldn't just let anyone put stuff on it, and it might even be a liability if they take an extra 24 hours to release Adobe Flash Hotfix #9451. I doubt they want to deal with it.
1. What OS? It's impossible to diagnose the reason for your anecdote without more specifics. Frankly, it sounds like his laptop is infected and yours had updates that were old enough to be superceded (XP I believe would sometimes fail an update that wasn't needed because of another update.)
2. Installing Windows XP without any service packs is as silly as installing Ubuntu 4.10 (notice that this is four years after Windows XP came out).. Actually, try installing Ubuntu 4.10 and see how many reboots it takes. You're in for a treat. For bonus points, install a bunch of user applications, send some emails, write some documents, and then see what happens to these applications as you upgrade to Ubuntu 9.10.
3. I fail to see how this is Microsoft's fault. If they had an officially sanctioned app store they'd be crucified for pushing it with Windows. Such an app store would invariably be useful. Anyhow, in a business setting you can deploy non-Windows, non-Microsoft updates through the Windows Update utility, so I can force Adobe Flash to update on clients, for example.
You were going so well until you said "poorly written ASP.NET" websites. Anyone can write a poorly designed website in any language, with loads of SQL injection vulnerabilities and all that good stuff.
I made that point in my second sentence. I can't imagine a mainframe with an active support contract has less than 99% uptime. I'm pretty sure that "performance reliability rating" is not a euphemism for "service level availability."
Slashdot Mirror
I think it's important to remember that the vast majority of online linux boxes are going to be servers which are already locked down, being run by at least semi-competent admins and probably with almost all the ports blocked except 80, 443, 21, an SSH port, etc. Essentially, they have a very small surface area, and even if there was a zero day, it's very easy for you to say "ah, that's not Linux's fault, that's Apache's fault. Even running OpenBSD would not have saved them."
So it's very hard to compare "Windows" to "Linux", and even moreso when you compare surface area exposed by the average computer running either. That's not even taking into account the relative proportions.
Well then we'll have to agree to disagree. I think Vista was an important and painful step forward for security, and that Windows 7 is probably about as secure as Linux 2.6.x. (Nothing can stop a user from wanting to see the dancing bunnies, etc.)
In Linux for example, gksudo is not a secure way to enter your password, and neither is entering your password into a sudo prompt in a shell. In Windows, you'd need to have already exploited the computer in order to read a UAC prompt.
It's not about fixing 1000 issues, if you tackle security like that, you'll be fixing 1000 issues every month until the end of time. And your problem will grow as your company and the amount of code you write grows. So theoretically you could eventually break even, but the worst security issues will be the ones you don't know about, the ones you can't measure in your tickets closed per month metric. So what if you closed 1000 bug tickets in a month? Anyone can do that, how about you go an entire month without a single bug ticket?
That's where we come to a mythical man month problem. There's only so much money and people you can throw at security before you come up against the fundamental problem that security is a group effort, and is defined by a process that leads to fewer vulnerabilities, fewer bugs overall.
I don't mean to be an apologist for Microsoft, they've been atrocious on the past and perhaps they are merely mediocre now. But the fact remains that you can't simply throw money at fixing vulnerabilities and have them go away. It doesn't matter how good your "vulnerability-checkers" are if they can't keep up with the hundred times larger number of coders you have writing bad code on a daily basis.
tl;dr: you don't want people who can close bug tickets, you want to hire very smart, very disciplined people and empower them to create a process whereby bug tickets and vulnerability cases are never opened. This is ultimately a more difficult problem than simply throwing time and money at fixing bugs. Doubling your investment will not halve your vulnerabilities.
Where do you live that average "broadband" speeds exceed 1 megabit?
I live in Iowa, and regularly have to deal with people who can't reliably get even that.
Remember that statistics can be deceiving. The average wage in the US has risen for decades (recession years excluded, or better yet, just do a five year average) but no reasonable statistician graphs average wages, they're pointless. As wealth distribution in the US has become more and more skewed, the average wage has risen but the median wage... not so much. So the average in the US might be high, but if you're trying to measure where the average person sits in terms of bandwidth, you need to look for the median bandwidth in the US.
Mythical man month much?
Pouring more resources into security doesn't make it happen. Sorry.
With most software licensing, what you're really paying for is whether or not they support your installation. Smaller number of seats, fewer computers, etc, is always cheaper, leads to fewer support calls, questions asked. On the other hand, large enough companies will have a dedicated IT team and help desk that will filter those out even more, so once you reach a certain volume the support calls start to go down again.
I think it would be interesting to see internal data from major software vendors showing number of licenses sold on the x axis, number of support calls per license sold per year on the y axis. It'd be a lot harder to measure forum or community participation but that would be interesting too. I would imagine community forum participation would fall to zero once the volume grew enough, because the company's internal team would resolve all those minor issues.
Are there only 2 or 3 languages on the list? (Did not even read TFS.)
As long as you stick to a strict subset of SQL and don't get fancy, you mean. Otherwise you'll have to rewrite it for every database engine you want your code to run on.
Now, I'm not an expert on database use and don't want to come across as sarcastic, but it's my impression that a lot of the questions that are being asked of these new types of databases simply don't have past analogues, or if they did, they were solved with this sort of approach in an RBDMS, basically using an RBDMS but without the relational part. Hadoop, Google, and all these social networking sites surely aren't all just... confused? Are they?
Please elaborate on how an RBDMS is applicable to what I guess is now called "scaling horizontally", or perhaps more formally known as sharding, or partitioning with redundancy. It's my impression that most of the RBDMS products available today are simply atrocious at this, but if you can point out which books I need to look at, and which products have good support for this sort of scale, I'd love to learn.
Thanks.
There ought to be a comma after "you" and probably after "sir" in your sentence.
S'alright, it happens to the best grammar nazis.
Your post is all sorts of confusing.
That makes it sound like more nanometers is better. Not in this case.
You have an extremely interesting definition of low end.
If there was a serious open source competitor to Java/C#, I'd love to hear about it. But right now, there are only open source implementations of either.
The last thing you want is the computer to reset, that is, the one that's controlling the engine, brakes, and power steering along with traction control and other components.
I think the reason HDD speeds don't go that low is due to the necessary Bernoulli effect? I'm not a physicist / hard drive manufacturer though. There are a lot of "green" hard drives that vary between 5k and 7k though.
That's not the problem, the problem is a lot of the high end controllers have 8, 16, 24, etc SAS ports. If you were to plug SSDs into all of those ports, you'd swamp the card, whether you treat the disks as JBOD or let the controller handle it. And the storage vendors who make real nice SANs did the same thing. They have one controller managing dozens of HDDs because their performance is so abysmal.
This. I'm surprised no one has mentioned it. I don't think there's a RAID controller on the market that supports pass-through TRIM. Which is going to be one hell of a wakeup call when an admin finds the batch job took ten times longer than usual. I had this happen with an X25-M, I had stopped paying attention to the log file's end time for various steps, and one day I woke up to it running past 9AM (from the initial times of taking a mere ten minutes when starting at 5AM.)
A lot of those features are available for a lot less than $100,000. But what you don't get, usually, is the same level of support.
I agree. 60 drives in RAID0 are going to see between 150 and 200 IOPS/drive, maybe more for 2.5" drives right? So that's 12,000 IOPS.
The X25-E, the new Sandforce controller, and I believe some of the newer Indilinx controllers can all do that with one SSD.
$/GB is crap, $/IOPS is amazing.
You're absolutely right, there are a lot of bad practices in web design.
Whoosh! Slashdot can't display unicode.
Because I don't proofread and Slashdot doesn't support editing, my second paragraph refers to your third point if that wasn't made clear.
I'll give you the second point, they don't make it particularly easy to get new CDs. I wish they did a better job of this, but I understand their rationale. With their IT personnel license, I have access to every version of Windows back to 3.0, and every version of XP ever made (every home and pro, N and Media Center and every service pack and language release.) But that's not going to help the average person either.
On the second point, even if they didn't charge anyone, they'd have to filter it heavily and that'd lead to antitrust issues I'm sure. They couldn't just let anyone put stuff on it, and it might even be a liability if they take an extra 24 hours to release Adobe Flash Hotfix #9451. I doubt they want to deal with it.
1. What OS? It's impossible to diagnose the reason for your anecdote without more specifics. Frankly, it sounds like his laptop is infected and yours had updates that were old enough to be superceded (XP I believe would sometimes fail an update that wasn't needed because of another update.)
2. Installing Windows XP without any service packs is as silly as installing Ubuntu 4.10 (notice that this is four years after Windows XP came out).. Actually, try installing Ubuntu 4.10 and see how many reboots it takes. You're in for a treat. For bonus points, install a bunch of user applications, send some emails, write some documents, and then see what happens to these applications as you upgrade to Ubuntu 9.10.
3. I fail to see how this is Microsoft's fault. If they had an officially sanctioned app store they'd be crucified for pushing it with Windows. Such an app store would invariably be useful. Anyhow, in a business setting you can deploy non-Windows, non-Microsoft updates through the Windows Update utility, so I can force Adobe Flash to update on clients, for example.
You were going so well until you said "poorly written ASP.NET" websites. Anyone can write a poorly designed website in any language, with loads of SQL injection vulnerabilities and all that good stuff.
I made that point in my second sentence. I can't imagine a mainframe with an active support contract has less than 99% uptime. I'm pretty sure that "performance reliability rating" is not a euphemism for "service level availability."