BT et C

Friday, January 13, 2006


There are two items at /. that provoke some thought today. And when thought gets provoked, it's usually time to post to yr blog!

The more recent of the two informs us that number & timeliness of system patches are not as important to customers as "which vendor makes the patching and updating experience the least complex, most efficient and easiest to manage" according to Bill Hilf.

I cannot say whether Mr. Hilf is right about that. The question is: is the customer right?. More generally, "is the customer always right?". Keep abstracting away from the issue, and you'll see that the fundamental question is the same as the one behind the Efficient Market Hypothesis and thus touches upon libertarian principles: can the market fail?

We'll do more of that later; let's get back on topic. A reductio ad absurdum of the Hilf principle would suggest that what the customer would prefer Never to Patch Anything. Unlike most reductii ad absurdum this isn't absurd at all. There are two ways to bypass the patching process:
1) build a perfectly airtight operating system
2) conceal the need for patches.

And I think back to an excellent section of Neal Stephenson's In the Beginning was the Command Line
"Commercial OSes have to adopt the same official stance towards errors as Communist countries had towards poverty. For doctrinal reasons it was not possible to admit that poverty was a serious problem in Communist countries, because the whole point of Communism was to eradicate poverty. Likewise, commercial OS companies like Apple and Microsoft can't go around admitting that their software has bugs and that it crashes all the time, any more than Disney can issue press releases stating that Mickey Mouse is an actor in a suit."

History suggests that the open-source software camp have #1 as an ideal, whereas commercial OSes lean toward #2. Both are impossible to achieve completely, though, so in the meantime (which is forever), there are two ways to make the patching process less annoying.

1) have patching be rare
2) have patching be easy

Or, of course, both. This is what the customer would prefer. Wait -- did I say commercial OSes? But there's a commercial OS that does both, and which (near as I can tell) leans toward #1 above, as evidenced by a quote from one of its security response team leader.
"Of course, we could reduce the number of advisories by batching issues into a single update every month, or by not fixing those vulnerabilities rated as low severity, but that is actually detrimental and increases the risk to customers. We're not going to play the numbers game with our customers."

What OS could that be? Whatever it is, it seems to be under the illusion that what the customer prefers is not necessarily what is best for the overall computer security situation.

The second and older item that caught my eye is more interesting still: it is an attempt by Microsoft to disabuse us of the illusion that Linux runs better on older hardware. The method sure looks scientific: install Windows and Linux on old hardware and see what happens. In fact you could say it like this, using just quotes from the article:
hypothesis: "There was this pervasive belief that Linux could run on older PCs and that Windows could not"
procedure: "installing Red Hat Enterprise Linux, SUSE Pro 9.2, Mandrake 10, Linspire 4.5, Xandros Desktop 3.0, Fedora Core 3, Slackware 10.1, Knoppix 3.7, Windows XP and Windows Server 2003 out of the box on older hardware to see what happened."

Well, if your ears haven't perked up yet I'll throw out some fun facts:
-XP released October 2001 ;SUSE 9.2 released October 2004; FC3 released November 2004; Slackware 10.1 not sure exactly but it was 2005; you've probably got the idea already.
-Where's Gentoo, Debian, DSL, PuppyLinux, or one of the many distros that people actually claim run well on old hardware?
-Did you say "out of the box"?

We've got a problem, then: the hypothesis that was actually tested is "What works better on 7-year-old hardware? An out-of-the-box operating system from 5 years ago, or out-of-the-box operating systems from 1 or 2 years ago? For the sake of brevity, let's exclude 1-2 year old operating systems that are intended to be used on older hardware."

They shoulda called me. I coulda saved 'em a lot of trouble. Hilf declares: "the technical capability to modify Linux, to strip it down to run with a minimal set of services and software so that it can run on all sorts of hardware devices, has generated that larger assumption that any type of Linux distribution can run on all sorts of hardware devices."

This is an assumption I have actually not heard voiced, and I wondered how prevalent it really is. So I googled it and all I see besides the original article is a guy whoconfirms my instinct about this BS.

So it's not quite as bad as "proving" that Linux is more expensive than windows by installing Linux on an old mainframe and Windows on a desktop and then comparing the price per megabit per second. But it's pretty bad.

Monday, January 09, 2006

Oh My

dyne:bolic is pretty much teh pwn and so on. I had no idea. I'll get back to you...