Acting MA CIO Appointed, ODF A Go: "Re:Summary of What ODF is/means
(Score:5, Informative)
by Doug Coulter (754128) Alter Relationship on Friday January 06, @02:36PM (#14411655)
(http://clab.mystarband.net/)
Check out www.groklaw.net, which has been covering this and the M$ fud about it, as well as the SCO stuff. Basically, ODF is an open standard produced by a consortium of companies and released for public use with no patents, license fees or other encumberances. M$ could add support for it in a heartbeat (though it may not support all their bu...features) but is refusing to do so as that would place them in competition with the various other office suites that do support it -- and they might not win that one. After all, several of the suites that do support it are free as in free beer, as well as in free speech. M$ is responding that we should use their 'open' (but not really) new xml format that they don't even support yet, and which has various legal problems for implementors. Peter Quinn, the CIO who used to have the job, quit because of an M$ funded witchhunt that got him a lot of bad publicity and negative attention. Of course, he was later found to be guiltless, but that little retraction only made it to page four, rather than page one where the accusations were made... See groklaw for more detail."
---------------------------------
It has turned into a major political FUD-fest, but one of the more important details is IMHO that Microsoft *chose* not to support their customer (Massachusetts)'s wish to open and save files in OpenDocument format, and instead they questioned why their customer made such a silly decision and who did they think they were anyway. Read the articles on groklaw (
http://www.groklaw.net/ [groklaw.net]); most news you read about this will be biased one way or another, but groklaw always also has the bare facts. Disclaimer: I don't like MS and I like groklaw.
-------------------------
[State of /Massachusetts as it recognizes it will need to be able to read it's digital files for decades, indeed centuries, into the future. MS Office and like applications have proven to be unable to read documents written by versions only a few years old.]
------------
Correct me if I am weong[sic], but ODF is only used by OOo and Suns Staroffice (which is the same thing, in a box, with phone support), so even though the format is open, which is undoubtably good, isnt it just locking into Sun because no one else reads / writes ODF?
OK, you're wrong. ODF is an open format, thus no lock-in. Anyone can and will implement it. Koffice and WordPerfect have both announced that upcoming versions of their products will support it. OpenOffice is open source, so any company can modify and sell support for it. Even MS can support the format easily, they just don't want to because the benefits it brings, like the ability to migrate easily to other formats, might not allow them to gouge customers as easily. The lock-in part of the .doc format is that no one except MS can read/write it perfectly (and not even MS between versions).
Moving to ODF is smart because it is not a lock-in. In five years when MA wants to evaluate new word processors, they can look at the features and prices of at least four different providers and choose the best fit, without worrying if they can read old files and without worrying about migration costs.
--------------xox eof
======================
One of the wisest comments I've heard on security was: security is the tax that the rest of us pay because some people are immoral.
The problem is that within information technology, many users have far too much access and trust than they should truly have. Another problem I've seen is execs granting themselves and their assistants way more access than they really need to do their job. It's a power issue for some of them. I run the company and should be able to get to anything.
That's not every company and SOX has made thinking about the consequences more attractive for the higher ups.
------------------
I've experienced working at a place where an employee walked out with information (and was subsequently sued into oblivion). Afterwards, all computers were locked down to the point where it made it nearly impossible to get any work done. Ever try to troubleshoot a data issue when you have to get your supervisor to log you into the database server every time? It can be hard to find a happy medium.
=================
This sounds bogus to me.
I doubt many companies are "oblivious" to the insider threat, it's just considered an acceptable cost of doing business. For example, a grocery store I used to work at knew perfectly well that their employees were lifting candy from the bulk candy dispenser (to pick an example). But they also knew the money they lost on that was significantly less than the cost of installing cameras and paying someone to review the tapes, or than the cost in lost sales of eliminating the bulk candy dispenser. So, when someone was caught red-handed, they were read the riot act (at least) or outright fired (at worst), but no special effort was made to catch people.
I don't think the owners of that grocery store were business prodigies, either. My guess is that the same sort of logic applies to most employers: the cost of preventing the infraction is higher than the cost of allowing it. The truth of this is reflected in which industries
do protect themselves against the "insider threat": places like casinos, where a successfully criminal insider could lose them huge quantities of money.
Meanwhile, the book seems to make the same suggestion a lot of security experts do: if a user doesn't need the technology, then don't let them use it. This sounds good, but it carries costs, too. First, of course, the cost of setting up and maintaining a network that enforces such policies. But second, the cost in employee morale, which cannot be discounted. Another job I had not all that long ago was in an office that didn't allow its employees to listen to talk radio. Music was fine, but talk radio was too much of a distraction. Since you didn't need it to do your job, you weren't allowed to have it.
The effect on morale was, to put it mildly, negative. Honestly, it's one of the reasons I didn't have the job for very long. Email and internet access are similar: employees have become accustomed, rightly or wrongly, to some personal use of these technologies. Take that away, and you're sure to end up with disgruntled employees, no matter how rational your reasons.
Moreover, it's a question of trust. If you demonstrate to all your employees that you don't trust them, odds are good you'll increase the number of employees who will live up (or down, if you prefer) to your expectation. At best, you'll incur the costs associated with high turnover rates. At worst, you'll fall victim to even more pernicious crime than you otherwise might have.
I guess the point is, it's not necessarily ignorance or even apathy that causes businesses to be vulnerable to insiders, it's simple cost/benefit analysis.
--
I already trust my computer. My computer has no business 'wondering' whether it trusts me or not.
-kfg
==================
This book is total crap and their conclusions about trusted insiders are all wrong. I know this because a friend of mine who worked at the publishing house leaked me a copy a few months early...
never mind
------------------
I work in healthcare and one of my roles is to help in auditing.
The main issue is that most people can look at any patient. This is considered a "necessary evil" as sometimes unexpected clinicians might be looking at a patient's information and we don't want to block access in a life threatening situation. Instead, we review access after the fact, in addition to putting certain blocks in place:
- Unusual access is audited. This includes people looking at patients who happen to be employees, specific audits of local celebrities, and so on.
- Random audits. Periodically, someone will check to see what a random person is doing.
- Probation. New users are audited at certain points, to make sure they're not abusing their new power.
- Hiding patients Certain patients are hidden from most users - this might include celebrities, legal issues, or patients who have requested it.
I see trust as a necessary part of functioning within an organization, though trust must be tempered with watchfulness. I'm a big fan of letting people do what they want, and then "break their kneecaps" if they abuse that trust. In real terms, this means prosecution and the like. Of course, I don't decide such things - that gets passed on to our legal department and I try not to follow up after that.
=================
The 27th? Security firm PivX was able to program an update for preEmpt that blocked all of the WMF exploit vectors on Win9x and higher without breaking anything. It was made available for its auto-updating clients on December
7th (2005-12-07).
--
My curiosity piqued too as I peeked over the peak and saw that they're there by their thar.\=
===================
So this is a design issue?
Yes, it is a design issue.
I would think the MS would have a department of crackers and hackers to try to do shit like this. Also, didn't any of the original developers think of this when they wrote it or did they think the exploit was so remote, that it'll never happen?
==================
The guy did not "remove one line of code." He used a DLL injection technique (documented by Richter in Advanced Windows Programming) that allows him to replace the registered address of a function in gd132.dll. This is not beginner coding, it works fine in principle but is not easy to pull off and have be reliable.
One problem, for instance, is that if some other hacker came along and reset the function pointer with their *own* dll, we'd be back to square one (tho that requires a greater level of system access). And the DLLs themselves don't have explicit control over when they get loaded, so they can't guarantee that they are first or last.
Microsoft's patch is nothing like his. They (I'm guessing) rebuilt gdi32.dll to actually turn the function into a no-op. Adequate testing by MS would have to include ensuring that all the various WMFs dynamically generated by the OS are not adversely affected.
--
A piece of string walks into a bar...
===========
This particular problem has a deeper root. The problem is that the code
is working as designed, and is well-designed to do what was intended. The problem is in what was intended. If your "feature" is a boneheaded security hole, no amount of good design and good coding can save you. All they will get you is a beautifully designed, perfectly coded boneheaded security hole.
-----------------------
Or just do what OpenBSD does: Make writable memory non-executable, make executable memory non-writable. This bit of common sense is disappointingly rarely implemented.
===================
I'm no expert by any means, but I think the idea behind the ReiserFS is breaking down the FS paradigm from the file level to the line level.
There is the classic example from the Reiser website. If your password file gets hacked, you have to ditch the whole file if you're using traditional file systems. You only know whether or not the file's been changed. However, with the Reiser system, it can tell you *what line*, and thus which user/password, was changed.
That's just a taste of where you can go with the ReiserFS. There are other things coming down the pipe; check out the reiser website for a better idea of the new features that ReiserFS promises.
--
Computers are useless. They can only give you answers. -- Pablo Picasso
----------------------------
Here's what's missing. They forgot to tell you how well the drive performed after being used for 1 year, and having constantly moved data from one place to another, and constantly deleting and creating new data. It would have been a better test if the drive was about 75% full, with data from 2 years of use, and then the same tests were performed.
--
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
===============
It would be interesting to see the results of the same tests running against
a SCSI drive system where there is less IO overhead to see if the results differ.There are other considerations here as well. What about the I/O elevator's tuning options.Yes, I'd much rather see this test occur against a SCSI drive or better yet against a RAM drive for pure software performance.
Cheers fellow slashdoters!
================
IIRC NCQ isn't 100% fully-baked on Linux yet, so even NCQ-capable controllers and drives won't take advantage of it yet. I just upgraded my home file server with NCQ-capable gear and I don't think it's using it yet, even though I'm running the latest kernel.
There are patches for libATA that enable NCQ, but they're not in the mainline yet.
The only thing worse than testing without the new technologies would be testing with half-baked implementations of them. Let's wait until NCQ is done before we try testing with it
The civil liberties issue might be this
(Score:5, Interesting)