I was getting excited about the imminent release of Debian Lenny, but it has been delayed again. There aresome 200 outstanding release critical bugs left to squash before it can be released. I appreciate the thoroughness put into Debian releases, which is why I use it myself. Some flavors I’ve used are as follows: Slackware, RedHat, Gentoo, Debian, OpenSUSE, Red Hat Enterprise, SuSE Linux Enterprise Server & Desktop. I’m no Linux zealot, but Linux does have a place in enterprise and small business.
I prefer Debian because it is so thoroughly tested, it’s updates and security patches are simple, and it is the best documented flavor out there. I mainly use Linux in a server environment although I have run it as my primary desktop for many years both at home and work. My professional linux experience includes running several HPC clusters and large crunch machines which process large analysis jobs. At work I am currently centered on SuSE Linux Enterprise Server. The business wants to have paid maintenance even though I’ve never taken advantage of it. Part of the theory is that they may need it if I were ever to leave.
Good thing I back up my sites every night. Yesterday with one fell swoop I wiped out every one of my MySQL databases, and had to restore from last night’s backup. Fortunately this happened early in the morning and there was little lost. My wife lost some comments and I lost some configuration changes. The comments can’t be replaced, but the configuration changes were easily redone, although I haven’t finished all of them yet.
Saw this article over on Engadget where HP thinks that changing the interface on Linux is equivalent to writing an OS. Original article with more details is at Businesweek.
Just want to clarify something here. RedHat is not an operating system. SuSE is not an operating system. Linux is an operating system. BSD is an operating system. Microsoft Windows is an operating system. If I skin Windows and add in some freeware applications it doesn’t make it a new operating system. I think Microsoft would have an issue with that. The only way people get away with saying things like this is that there is no one who controls Linux from a commercial standpoint.
It is intersting that they think they want to undertake the maintenance duties of developing their own flavor of Linux. I think they would be much better served by using SuSE or RedHat, or even Ubuntu. The major PC vendors have displayed many times that they can’t get open source right. In fact, one of the biggest gripes I have with Dell is that they charge more for their hardware if you buy Linux than if you buy Windows, and they don’t offer their higher end hardware with Linux. I’m the kind of person who always wipes a PC clean and reinstalls the operating system after I get a system, so it doesn’t matter much to me whether or not it comes with Linux, but I think there should be some kind of price break for not having to pay for Windows. Unfortunately it seems that the actual value to the big name PC makers is diminished by having Linux on the box. Apparently they get so many kickbacks from Microsoft that they subsidize the hardware. Right.
Anyway, this rant brought to you because an Operating System is different than a Theme and set of installed applications.
Since the other day was talk like a pirate day, I thought I would write about a different kind of pirate – one that uses and trades unlicensed software. When I was in college I always vowed that I would pay for the software that I used once I had a job and the means to afford it, and I have kept with that promise. I understand that there are many people without the means to purchase software, and that piracy can help them get a leg up in their education to be able to afford to purchase that software in the future. I personally don’t want to ever have to go there again. Everything on my computer is either Freeware/GPL or paid for commercial software.
I’m not sure there is a good solution for piracy though, because some people will perpetually steal software with no sense of moral grounding. I was speaking with an individual who is a recent graduate from College who was in my same boat – couldn’t afford the software, but wanted to have it so he could learn how to use it an make himself marketable. He was also of the same mindset, and while he probably isn’t making a super huge salary, he is starting to purchase the software that he previously downloaded and removing the software that he no longer has need of.
On the other hand, I know of a few individuals who make many times my salary yet feel that they shouldn’t have to pay for the software on their computers. I know this because I have cleaned up their computers from some of the garbage that they downloaded that had backdoors and spyware associated with it. I have been asked many times to reload unlicensed versions of Windows, which I refuse to do, and one time I was told by someone I work for to do it for his boss on company time. I don’t want to get started about how many levels deep that ethical issue went.
The system is broken.
Software Copyright holders attempt to use activation procedures to protect their content, however this is like putting a lock on a screened-in porch door. It only keeps the good people out. Media copyright holders such as the RIAA and MPAA are attempting to go after those who share their content, however this misses the people with hard drives full of movies and music who are collectors. They seem to target the small players too – individuals who have an album or two on a share because they installed some software and didn’t read enough to realize that they were going to be sharing the music on their computers with the world. Broken enforcement.
Software and media needs to be priced at a reasonable level for its utility. The average home user probably rarely uses their office package, so charging $600 is unreasonable. The average web developer who is handed some psd files is probably going to use photoshop all of ten minutes to modify those files and convert them into something he can use. Is that worth $700? I can’t justify spending $700 for photoshop, so I use the GIMP, which is more than adequate to fill my needs. On the other hand, a graphics artist who uses Photoshop for 7 hours a day to make his livlihood should be paying that much for the software. As a computer geek I would prefer to use Photoshop so that I could help those graphics designers when they run into problems, but again that’s not worth $700 to me so that I can hand out free advice to people. Broken cost.
The solution is not easy.
The solution is multi-faceted and must be targeted specifically at the broken issues in the system currently. First of all, activation either doesn’t go far enough or goes too far. When transferring software from one computer to another becomes illegal, or requires repurchasing, that takes activation too far. Activation procedures are also too easy to break. Within hours of a commercial software package’s launch, someone will have figured out how to crack or bypass the activation and those who look for the means to get around it will be able to find it. Again, the good guy suffers here.
For software licensing, I propose a system similar to FlexLM where a user has to check out a key and remain in constant contact with the license server or the software will cease to function. For offline use a key could be checked out for a duration of time just like in FlexLM. Now why should we submit to such a model? Pay per usage. If an application such as Microsoft Office cost $0.50/day to use it, just for example, then I would have it installed on my Wife’s computer instead of Open Office. She uses the software once or twice a week, and ~$52/year is easier to swallow than paying retail prices. Continually updated software is another reason. In such a licensing model, users could always download the latest version of the software and not be stuck in an older version. It breaks down the barrier to entry for most people for a software package like Office. For $0.10/hour I would also have the more powerful Photoshop installed on my computer instead of GIMP. Pricing could then easily be tiered based on commercial or non-commercial use, and upon support levels.
The second part of the solution is enforcement. Instead of targeting the small time sharers such as the MPAA does, they need to target the big-time criminals who are actively cracking and making this software and media available for general use. An end user shouldn’t have to fear that their copy of software might not be genuine and that their list of MP3s downloaded and paid for from Amazon might become a target of the RIAA if they get some kind of malware on their computer that decides to start sharing those to the world.
The third part of the solutin is reporting. I know some of the software alliances have reporting tools on their websites, and I have actually visited them in the past in an attempt to report a violation. The last time I did so, the form was so complex and required so much information that I was not willing to put my own self on the line to report someone else’s infraction. For example, how do I report my boss’s boss, etc. Where are the anonymous tip lines. They didn’t exist backt hen, but today I did find one site that has this, but I don’t know how effective reporting will be.
That’s my solution in a nutshell. Not really much to it – mainly an enforcable and practical subscription model, reasonable prices to remove impetus for theft, and appropriate enforcement. There are a few holes I haven’t covered, but feel free to point them out.
Don’t forget that today, September 19, is Talk Like a Pirate Day. For those of you on WordPress you can shock your visitors by installing the Text Filter Suite. It’s great fun – it will make your entire blog talk like a pirate for the day. No, I won’t be running it here, but enjoy!
My project is actually resurrecting an old SGI Fuel system whose motherboard and hard drive simultaneously died. There were no backups of the system, and it is a testament to the SGI hardware that this system lasted 6 years with 24/7 operation. This system is critical to production as it programs multi-million dollar machines. There is an upgrade to the software package available that will work on Windows, but the cost is somewhere in the six figure range. The system is also used for engineering work, and while this part hasn’t been production critical it has been an annoyance.
I managed to attend a telecom and send a bunch of emails back and forth today, so things are starting to get back to the grind. It has been a nice break though, and I wish that there could be more like that. I’ll have an SGI guy on-site tomorrow to replace the motherboard for a second time. It appears that the SCSI controller has gone bad because I am unable to load the engineering package on the system and it has been having some performance issues.
I saw this a few places, but a good writeup about it on Veritablelife blog. I wrote a previous post about the things I liked and disliked about the browser, and this has to top the list of dislikes. I think that the EULA is completely unenforceable, however I am not a lawyer and I wouldn’t want to have to fight a corporation like Google about it. The reason I’m not worried about this at all is that Google would be plain stupid to actually try to enforce this or steal someone’s content just because they used Chrome to enter it. Can you imagine the amount of negative publicity surrounding such a move? There’s already enough of it out there about the EULA itself.
Just give it a little more time and Google will have developed an EULA specifically for Chrome that is more sane. Even Google doesn’t bother reading these things before they go out, they just copy and paste, so I’m surprised so many users did as well.
At 4 and a half minutes it runs a little long. Again it leaves me scratching my head and saying why. There was a brief reference to Bill Gates “connecting” a billion people, but otherwise it was just about connecting to normal people. This may be my last entry on the topic because I’m getting bored with it. I haven’t seen any of these advertisements on TV, although with my PVR I doubt I would, but 4.5 minutes is too long for a TV advertisement anyway. They must be mainly interested in the virual effect which I’m helping to promote.
I didn’t find it too humorous, although it does make a good point that there really is no normal family. We’re all weird and we all are eccentric in our own ways. If this is the purpose of the advertising then I’m impressed. I can’t help but wonder if Microsoft’s goal here is really to:
I saw a very strange article today where someone tried to argue that SaaS (Software as a Service) changes the CIA (Confidentiality, Integrity, Availability) paradigm (Triad). I was confused and read on only to find that there was no argument within the text to back up that statement. In fact, Availability was used as an argument against itself. I started to write a comment, but then it got too long and I realized that I was probably just going to offend the guy because of something he wrote out too quickly without reading it over. I’m sure I’ve already written something like that myself, or if I haven’t yet I will.
First, here is an explanation of the CIA Triad in a nutshell. These are the core principles of information security:
Confidentiality refers to preventing disclosure of information to unauthorized systems or people. Integrity refers to the data remaining in the system the same way it was put in – that it can’t be modified without authorization. Availability means that the data is available when needed and that security controls and systems that house the data are functioning correctly.
I’ve heard many people argue against the need for the Availability piece as it doesn’t sound as interesting as the rest of it. Of course the data needs to be available, but what does that have to do with security? Joe Technician keeps the systems available. The problem is, if the system is not available, then it is not valuable, and if it is not valuable, then it is not worth using. Availability also refers to security controls being in place at all times. If the security controls for a system suddenly become unavailable, say a log file fills up and no mechanism for rotation or offloading that file is in place. Subsequent actions taken on the system may compromise Integrity, and in fact simply because the logging facility was not available we may have an Integrity or Confidentiality issue.
I understand what the article was trying to say about increasing exposure to Integrity and Confidentiality by going to a service based environment because you will be offloading sensitive information to a 3rd party, however SaaS also increases Availability issues as well. Instead of running Word on your desktop, which works whether or not you are connected to your LAN, the Internet, or anything else, now you are relying on Google (for example) to provide your word processor over the Internet. Your 3rd party still has to get you the service. In providing SaaS, both the provider and the buyer need to consider Availability just as much as Confidentiality and Integrity.
I’ll give you a simple example. I can run your company’s ERP system for you. I’ll design the system so well that after you put data into it no one will be able to get it out. I’ll make it so safe that no one can make unauthorized changes. Actually, we will take your ERP system, unplug it, and stick it in a double locked vault where I know one combination and you know the other. That satisfies Confidentiality and Integrity completely, but ignores Availability.
Some businesses or systems within a business naturally emphasize parts of CIA over others. For example, there is a company that sells a USB key that has an internal self-destruction mechanism if an authentication is failed too many times. There are cases where availability of that data should suffer. If I am bringing a copy of proprietary company confidential information from one place to another, this might be the best means to transport it. If someone steals the USB key or I lose it in transport, I want to be assured that the data will not be available to whoever found it or be able to be modified by someone sneaking into my hotel room in the middle of the night. In this case I am willing to sacrifice some availability, for example if I forget my own passkey, for the sake of Confidentiality. This in no way negates the CIA triad or changes its paradigm. The USB key still must be available to me in order to be useful. I need to be able to put data on it, and it needs to be possible for me to bring it from one place to another. Once there, I need to be able to authenticate to it and decrypt the data that is there. In other words, the data must be available else I’d never buy such a device. The manufacturer still has other availability challenges such as how to decrypt and unlock the device on an alternative operating system (making it more available), or how to alert the user if someone was trying to guess the password since the last time it was successfully accessed (protection system availability).
In fact, each piece of the triad is intrinsically linked to each other piece in a delicate balancing act. As I said, it is easy to have a completely Confidential system if there is no Availability (try a pipe to /dev/null). When an end user asks for a network share behind the firewall to be available to a customer in another company, then we suddenly have much more need for security in the forms of Confidentiality and Integrity, but it was Availability that triggered the request. If we forget that Availability triggered the request, then we might as well not worry about the additional Confidentiality and Integrity needed to satisfy that unneeded Availability.
CIA is intrinsically linked and each piece must be considered in developing any system, including SaaS. There is no paradigm change. I know the author of the article knew this, because he argued points against his own thesis. It got me thinking about stuff though, and that’s always a good thing. I didn’t write this to offend or pick on anyone. If there is something I’ve overlooked or misread about the original article I’ll be glad to have it pointed out to me, because I just don’t understand it the way it was written.
Noscript is one of my essential browser tools. What it does is intercept java, flash, and other script including executable content on a Firefox browser and keeps it from executing until the user specifically whitelists the site. It can be an inconvenience to someone who doesn’t understand the dangers that exist on the Internet, however it doesn’t save us from every danger out there.
It seems someone at ZD Net noticed it recently. It’s nice to know that Noscript protects from specific Zero Day attacks too.
If you use Firefox (and you should) then you should use Noscript to complete your safety net.
It is rare when the XSS detection triggers, but even for someone that browses as carefully as I do, it can. In fact there are some times when I am browsing through things that aren’t necessarily all on the up-and-up. I had a PC that I needed to hack into a couple weeks ago and my traditional tool is ophcrack over at SourceForge. They recently updated the tool and it no longer performs as it did – very disappointing. I downloaded a previous version and let it crack away on the target computer, however it couldn’t reveal any of the passwords. I did some searching for an alternative tool, and as you can guess that led me to some shady websites. With Noscript I didn’t worry at all.
The one thing that Noscript doesn’t save us from is a trusted site that we’ve whitelisted that was subsequently cracked. If the defacement includes posting compromised code, then it will execute just as if it were trusted.
PC in Software, tags: Debian, Linux, Operating system, Red Hat, Red Hat Enterprise Linux, SUSE Linux distributions, SuSE Linux Enterprise Server
some 200 outstanding release critical bugs left to squash before it can be released. I appreciate the thoroughness put into Debian releases, which is why I use it myself. Some flavors I’ve used are as follows: Slackware, RedHat, Gentoo, Debian, OpenSUSE, Red Hat Enterprise, SuSE Linux Enterprise Server & Desktop. I’m no Linux zealot, but Linux does have a place in enterprise and small business.
Entries (RSS)