Migrating to GNU/Linux

Over the years I have read many accounts of migrations large and small. They big guys tend to be very cautious because any disruption is huge. This is what Canonical says about how to go about it:

  1. Plan effectively for maximum effect
  2. Target the users ripe for migration
  3. Identify the apps that save you money and fuss
  4. Create the right management flows
  5. Pilot your project to get it just right

That’s not too different from what

see FIVE GOLDEN RULES FOR A SUCCESSFUL UBUNTU DESKTOP MIGRATION

While a perfectly planned set-piece migration appears to work for large organizations, smaller organizations may simply experience delay and greater costs doing the detailed work. The GNU/Linux desktop has evolved to the point where for a large proportion of users it can do the job with little fuss. Just backup data, install the OS and restore the data. If any problems arise they are likely to be small and manageable. With a good backup, one can always revert particular machines if a show-stopper arises. In ten years of migrating small organizations I never encountered a show-stopper that could not be simply worked around. Migrations of simple computer labs may take only an hour or two. A whole school may be about as complicated as that. Where I last worked, I walked around replacing PCs with GNU/Linux PCs. I could have installed over the network to avoid the walking but there was a matter of locked doors after hours… That’s not a show-stopper associated with the OS, just constraints on the institution.

For the benefits of global mirrors, a great package manager, APT, good tools for system management over the network and sound policies on integration, I recommend Debian GNU/Linux. It works for you.

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology. Bookmark the permalink.

63 Responses to Migrating to GNU/Linux

  1. Robert, it’s editorial like the following that really kills your credibility. Grow up!

    “Brillo, pompous ass and troll wrote…”

    You and Koz seem to rely on character attacks and ad hominem rather than facts and rational discussion. Why not just say “you’re wrong because you’re fat” since it’s about the same caliber of argument you seem to used to delivering.

    Likewise, using “M$” and saying “the other OS” is incredibly petty. Notice how I don’t call it “LinSux” or something equally childish? That’s because I argue on merit, without having to resort to baseless mudslinging and villification.

  2. “If you don’t like anecdotes, go elsewhere or research the history of the TCP/IP stack.”

    Here’s an anecdote for you; Nobody uses Windows 98 anymore. I’ll refer again to the wikipedia data:

    http://en.wikipedia.org/wiki/Usage_share_of_operating_systems

    Oh look “Other Windows” has virtually the same usage stats on Wikipedia as desktop linux does! Keep in mind, this includes 95, 98, 2000, and ME as well.

    Finally, if you actually bothered to research the TCP/IP stack, you’d know that Microsoft licensed Spider to add TCP/IP to NT; Spider was used under the BSD license. By NT3.5 they’d rewritten the stack so that it didn’t rely on the Streams architecture that Spider did, reducing the overhead of needing to simulate a Streams environment. Spider used elements of the BSD TCP stack for checksums which remained in the NT rewrite. The NT3.5 stack was used in Windows 95.

    I’d really like to know if you were using TCP or some other protocol Windows supported like NetBEUI.

    http://en.wikipedia.org/wiki/NetBIOS#NetBEUI

  3. Brillo says:

    first layers -> first layer

  4. Brillo says:

    Silly. You get a discontinuity/reflection in the transmission line even if you do not cut the cable.

    True, but I still highly doubt your understanding of the implication of that beyond the first layers of the OSI model.

    Believe it or not at one of the largest school divisions where I worked the head IT guy, an MSCE, (not I) used a staple gun to affix surface-mounted Cat-5 in a computer lab.

    I don’t think an MCSE in or of itself qualifies you in anyway to handle indoor electricial wiring. In fact, DIY wiring like this can even get you into troble in some countries. Of course, with that aside, knowing what you are actually using is also an important part of the equation.

    In the school system I designed, Cat-6 was used and properly mounted in conduit and cable-trays.

    But obviously not in that particular school where the IT personnel decided to work around “network chatters” with more servers.

    Got any more apples-to-oranges comparisons to throw at your detractors?

    No, but it was necessary and very useful in 1973 when I built my detector.

    I am glad that you finally admit all that guff is essentially irrelevant to the discussion. Moving on…

    I taught hundreds of students how to terminate cables

    So you taught hundreds of students how to (dubiously) use a cable crimp. More power to you, I guess?

    I tested them. GNU/Linux had three times the throughput of Lose 98 on those cables because Lose ’98 still used M$’s own TCP/IP stack…

    As TR points out, that’s pure anecdote, and this is to set aside the obvious fact that all this discussion on an ancient OS almost nobody uses these days is entirely irrelevant to the subject matter at hand.

    Both M$ and GNU/Linux eventually used the BSD stack or modified it to suit but Lose ’98 did not use the BSD stack.

    So, in a nutshell, you are invaliding your own argument by claiming that now every operating system uses the same network stack.

    Well played, PR! Well played!

  5. ch says:

    “Note the part about maxing out the LAN with 10-30 users.”

    Well, most participants in that discussion seem to have been almost as knowledgable as you ;-)However, the Point about “not more than 25-30” was in regard to managing that without a central Server – just changing passwords on 30 machines for each user isn’t really fun.

    However, if you really wanted to max out your LAN, way back then the ticket was NFS. Before NFS 4, it was a stateless protocol – for file-sharing!? Our LAN guys loved it 😉

  6. TM wrote, “I guess this is just more anecdotal evidence then.”

    If you don’t like anecdotes, go elsewhere or research the history of the TCP/IP stack. Both M$ and GNU/Linux eventually used the BSD stack or modified it to suit but Lose ’98 did not use the BSD stack. Slow networking was a characteristic of both that other OS and MacOS in school labs about that time. M$ imported BSD stuff and Apple switched to BSD UNIX OS and got the stack that way. GNU/Linux used the BSD stack much earlier.

    Just for fun, read this discussion of Lose ’98 from the good old days. Note the part about maxing out the LAN with 10-30 users.

  7. ch says:

    “GNU/Linux had three times the throughput of Lose 98 on those cables because Lose ’98 still used M$’s own TCP/IP stack…”

    Even if that was actually true: Why didn’t you use NetBEUI for the Win98 machines?

  8. “The stapled cable still worked well at 100 mbits/s. I tested them. GNU/Linux had three times the throughput of Lose 98 on those cables because Lose ’98 still used M$’s own TCP/IP stack”

    Sounds like a very scientific test. What’d you do? Copy a file in a bash terminal and try to do the same thing in the command prompt on Windows? Can you show us the actual numbers of your tests?

    No? Well I guess this is just more anecdotal evidence then.

  9. Brillo, scorning knowledge of electronics acquired by me since the 1960s wrote, “That’s totally worth a damn in 2012, isn’t it?”

    No, but it was necessary and very useful in 1973 when I built my detector. No off-the-shelf unit would fit my custom-built detector which needed a preamp right on the wire, not nearby. The idea is that the detector produces a small charge on what is essentially a capacitor, the wire. Adding capacitance to the wire by leading the signal to a distant pre-amp lowers the voltage of the signal and thus the signal to noise ratio. Nuclear physics labs are electronically noisy places with all the usual 60Hz stuff as well as high voltage and RF power supplies nearby. It is vital to produce a signal large enough that it’s timing is minimally affected by noise. We had suitable pre-amps for other kinds of detectors but mine was the first of its kind in Canada in those days. CERN still does it that way because they have many thousands of wires and each must have its own preamp in confined spaces. e.g.
    “includes on-detector and off-detector electronics, encompassing five different types of custom circuit boards designed to handle the high event rate at the LHC. The on-detector electronics includes Cathode Front End Boards (CFEB) [R. Breedon, et al., Nucl. Instr. and Meth. A 471 (2001) 340], which amplify, shape, store, and digitize chamber cathode signals; “

    see http://www.sciencedirect.com/science/article/pii/S0168900208021153

    There just isn’t any practical way to produce a product that fits in the confined space of a particle detector that’s a separate unit. You build the detector to fit the physics and preamps and such need to be part of it. My little “proof of principle” prototype had only 5 wires. CERN has tens of thousands in confined spaces. I used a few discrete components and a transistor. The important features were protection from kilovolt spikes, small size, amplification before putting the signal on cables in a noisy environment (RF, high-current spikes and high-voltage leakage). The system worked beautifully giving position and particle identification for a tiny investment. I built all the hardware in a few hours in the machine-shop and at my desk. Of course it took a year to design, a year to test and a year to write the thesis, but those were some of the best years of my life.

    Google has something about that thesis. I wonder if they have scanned it…

    Wikipedia does not have much information about the technology. Perhaps I should dig up my copy of the thesis and put it online. Some of the technology can be seen here (1969 onward). I was quite privileged to work on technology only seven years old in concept for a Master’s degree. Normally state of the art is restricted to PhD projects.

  10. Brillo wrote, “What will (likely) happen if you use large staples instead of cable clips to fix a Cat5/6 cable?

    It’s stuff like this that messes up what you, a layman, think is perfectly done wiring.”

    Silly. You get a discontinuity/reflection in the transmission line even if you do not cut the cable. Believe it or not at one of the largest school divisions where I worked the head IT guy, an MSCE, (not I) used a staple gun to affix surface-mounted Cat-5 in a computer lab. In the school system I designed, Cat-6 was used and properly mounted in conduit and cable-trays. Cat-6 jacks were properly installed in each classroom by proper technicians and tested/certified for throughput with an expensive cable-tester. Every cable was properly marked at the patch panel and the outlet. The stapled cable still worked well at 100 mbits/s. I tested them. GNU/Linux had three times the throughput of Lose 98 on those cables because Lose ’98 still used M$’s own TCP/IP stack…

    I taught hundreds of students how to terminate cables and we often made LANs fully operational on table-tops for their benefit.

  11. Brillo says:

    The noise cancellation which is so important to permit good bandwidth on a 100m length of such cable starts with differential drivers and receivers matching cable impedance while subtracting extraneous common-mode noise.

    What a fancy way to say “unshielded twisted pairs”, PR!

    Here’s a pop quiz: What will (likely) happen if you use large staples instead of cable clips to fix a Cat5/6 cable?

    It’s stuff like this that messes up what you, a layman, think is perfectly done wiring.

    Physics is full of digital and analogue electronics, standard units, measurements and analysis of errors.

    Again, you are telling me nothing beyond being able to operate a DAQ box.

    For my Master’s Thesis, I built a sub-nanosecond preamplifier for the detector that I built

    So you created a crude equivalent of one of these things. That’s totally worth a damn in 2012, isn’t it?

    and handled the signals all the way from the lab to the control room to the mainframe on a number of transmission lines.

    So you have the ability to operate a very large DAQ box. Congrats!

    Also, of course, all this fancy talk about “electronics”, “standard units” and “measurements” is none beyond the first of the seven layers of the OSI model. We have well-trained electricians to handle all the “sub-nanosecond” connections at this day and age, so what exactly are your trying to prove here except a dubious ability to operate a cable crimp?

    I understand computers too. I studied digital and analogue electronics and built my own computer on VMEbus with a 68K microprocessor back in the day.

    So you can assemble your own computer from parts.

    Do you know who else has that same ability as well? Almost everyone.

  12. Brillo, pompous ass and troll wrote, “could you please tell me how that qualifies you as a computer network engineer? “

    That’s easy. Much of the technology of computers and networks is derived from physics, one of my several specialties. Ethernet cable, for instance is an example of a transmission line which can be represented in theory by distributed lumped passive devices: inductors, capacitors and resistors. The noise cancellation which is so important to permit good bandwidth on a 100m length of such cable starts with differential drivers and receivers matching cable impedance while subtracting extraneous common-mode noise. Physics is all about measuring stuff. If you can’t measure stuff, it’s probably not that important in the real world. Physics is full of digital and analogue electronics, standard units, measurements and analysis of errors. All those are critical to a network. For my Master’s Thesis, I built a sub-nanosecond preamplifier for the detector that I built and handled the signals all the way from the lab to the control room to the mainframe on a number of transmission lines. You bet I understand the physics of networks. Computer networks are based on that physics.

    I understand computers too. I studied digital and analogue electronics and built my own computer on VMEbus with a 68K microprocessor back in the day. I voted to approve IEEE P1014 which is still in use for data-collection and control systems decades later. I still have the hardware. I have taught thousands of students to disassemble, reassemble and upgrade ATX PCs. I have built complete networks for schools. Everything worked and much of it is still working. There is a reason for that. I am a rational human being and technological sponge.

  13. Brillo says:

    So, I go over to my little woman’s PC, login to beast remotely via SSH and start a new session and her little trick sees nothing… See what I mean about sessions?

    To clarify:

    When you use ssh -x to connect to a remote machine, your computer effectively becomes the X server for the apps you run on that machine. If your computer has already been compromised, an attacker can simply gather output of those apps without going after the remote machine. Moreover, all those login details that you type in the terminal emulator (be it xterm or gnome-terminal) is also exposed the attacker compromising your computer and thus make the remote machine also vulnerable to further attacks.

    Get every thin client to login that way and there’s perfect isolation.

    A thin client set-up is no more or less vulnerable than a “fat” client one in practice. As long as there is software, an attacker can always find a way to attack it.

  14. Brillo says:

    Honours Physics B.Sc., M.Sc. Nuclear Physics, particle accelerator development and operations

    Again, you fail to specify what role you played in an undertaking of an obviously large scale. So you built superconductive magnets for the LHC. That’s cool! Now, could you please tell me how that qualifies you as a computer network engineer? No answer? How typical, PR! How typical!

    Could malware exploit X? Sure. But where’s the malware? I don’t see any.

    Maybe you need an optometrist?

    Compare this situation with M$’s inclination to allow every window to interact with every other window regardless of user. see Shatter Attack

    This hasty response reveals three things about you:

    1) You lack the ability to comprehend your own source.

    2) You don’t know how UIPI or UAC dialog boxes work.

    3) You have no idea what people mean by “session” or which part of X is being put into question.

    With Windows Vista, Microsoft aimed to solve the problem in two ways: First, local users no longer log in to Session 0, thus separating the message loop of a logged-in user’s session from high-privilege system services, which are loaded into Session 0. Second, a new feature called User Interface Privilege Isolation (UIPI) was introduced, whereby processes can be further protected against shatter attacks by assigning an Integrity Level to each process. Attempts to send messages to a process with a higher Integrity Level will fail, even if both processes are owned by the same user. However, not all interactions between processes at different Integrity Levels are prevented by UIPI. Internet Explorer 7, for example, uses the UIPI feature to limit the extent to which its rendering components interact with the rest of the system.

    BTW, Windows is the only one mainstream OS I’m aware of, that actually attempts to implement some form of GUI-level isolation, starting from Windows Vista.

    Rutkowska is an expert of her field, and her assertion on X is backed by reproducible results from published literature. You, on the other hand, is the IT equivalent of Uncle Red from The Red Green Show who tries to solve problems with nothing more than an headful of farcical ideas and rolls of duct tapes. Don’t bother trying to steal credits from the computer scientists and engineers you have worked with, PR – there is nothing in you that qualifies you as part of their league, and it shows.

  15. Phenom wrote, “lets forget for a minute the fact that you extrapolate the needs of a school on the whole world”.

    On the contrary, I have a very wide experience of IT. I have had many careers in different fields and used IT heavily in all of them: Honours Physics B.Sc., M.Sc. Nuclear Physics, particle accelerator development and operations (University and Healthcare), inventing a process for isotope separation, house-husband (designed the house and worked out the Bill of materials too), welding, and teaching. That’s a wide range of working environments interacting with a wide variety of people for many different uses of IT. I have only worked in school the last 14 years, but I was often the local tech, system administrator, systems integrator and installer. I’ve worked for organizations with budgets from $100K per annum to $100 million per annum with a handful of employees to thousands. What more do you want from me for free?

    Re: Rutkowska

    So, I go over to my little woman’s PC, login to beast remotely via SSH and start a new session and her little trick sees nothing… See what I mean about sessions? The Xserver on the little woman’s PC cannot see Beast’s devices and Beast cannot see hers except of course the desired interaction with the appropriate session. Get every thin client to login that way and there’s perfect isolation. Isolation between processes is of course determined by the user’s wishes. If you want yourself to see what keys you just typed, go ahead… If you are using multiseat-X there could be an issue. I don’t have the hardware to test that at the moment.

    Could malware exploit X? Sure. But where’s the malware? I don’t see any. I normally want all my processes to interact with my screen so I can interact with all of them. Would you not want that in a GUI? Compare this situation with M$’s inclination to allow every window to interact with every other window regardless of user. see Shatter Attack

  16. Brillo says:

    underserved -> undeserved

  17. Brillo says:

    Not an issue for a typical newish PC these days.

    Not an issue on the wired LAN often found in schools.

    Not even with “network chatters”? You seem to be too eager to assume an A-OK (as long as it involves your favorite OS) without actually understanding what’s going on in the picture, don’t you?

    GNU/Linux security pretty well takes care of sessions.

    Again, how? You don’t even seem to notice that unlike our resident link hoarder, Joanna Rutkowska is a recognized figure in security research and has her own work to back up her creditibility (rather than cling onto the fame of some group to gain undeserved credence like one certain individual here).

  18. Brillo says:

    Not an issue for a typical newish PC these days.

    Not an issue on the wired LAN often found in schools.

    Not even with “network chatters”? You seem to be too eager to assume an A-OK (as long as it involves your favorite OS) without actually understanding what’s going on in the picture, don’t you?

    GNU/Linux security pretty well takes care of sessions.

    Again, how? You don’t even seem to notice that unlike our resident link hoarder, Joanna Rutkowska is a recognized figure in security research and has her own work to back up her creditibility (rather than cling onto the fame of some group to gain underserved credence like one certain individual here).

  19. Phenom says:

    Pogs, lets forget for a minute the fact that you extrapolate the needs of a school on the whole world.

    How can you say “GNU/Linux security pretty well takes care of sessions” after this story:
    http://theinvisiblethings.blogspot.com.au/2011/04/linux-security-circus-on-gui-isolation.html

    Mind you, we speak of GUI and X, not of CLI.

  20. Brillo wrote some objections to X11 and SSH:
    “From the top of my head:

    – Additional overhead to an already resource-hungry protocol
    Not an issue for a typical newish PC these days. I have run labs on 100mbits/s or 1000mbits/s with or without SSH and SSH does impact an older terminal server or a really ancient client. It’s no problem for a newer machine with multiple cores etc.
    – Lack of resilience over congested/choppy communication links
    Not an issue on the wired LAN often found in schools.
    – Prone to session leaking on the server side
    “Session Leaking”. Sounds like a feature you should trademark for that other OS. GNU/Linux security pretty well takes care of sessions.

  21. Brillo wrote about exotic configuration of X11, “As long as you don’t mind dealing with all the weird quirks that come with Xinerama, all the magic incantations in xorg.conf,”

    I don’t mind. The return on investment of a few minutes tweaking a text-file is pretty high compared to using that configuration for many years. There’s usually someone who has done any particular kind of configuration you can imagine and examples are out there. All the rectangular arrays are pretty routine. I even set up one school with 6 independent users with monitor/keyboard/mouse on a dozen PCs for clusters in classrooms and labs. It was pretty easy. I just ran a script published on the web once and replicated the installation on the other machines. It was a couple of minutes work to do it all and dozens of setups happened.

    The typical multiple duplicate display doesn’t even need the tweaking using “xrandr“.

  22. ch says:

    I couldn’t help but re-visit this one:
    http://linuxhaters.blogspot.de/2008/05/you-dont-need-to-be-rocket-scientist-to.html

    “what’s wrong with X11”

    Nothing at all, Sir, nothing at all.

  23. Brillo says:

    It’s also good for arrays of displays.

    As long as you don’t mind dealing with all the weird quirks that come with Xinerama, all the magic incantations in xorg.conf, all the hair-splitting problems among X, OpenGL and the video card drivers and all the additional problems brought along by each different Unix system or Linux distro, then, yes, I suppose it’s pretty good.

  24. Brillo says:

    X11 is just great for computer labs and the like. It’s also good for arrays of displays. If you need more security than X11, what’s wrong with X11 over SSH?

    From the top of my head:

    – Additional overhead to an already resource-hungry protocol

    – Lack of resilience over congested/choppy communication links

    – Prone to session leaking on the server side

    For someone who claims to have intimate knowledge in a industry-standard data bus, I expect a better argument than “what’s wrong”.

  25. oiaohm wrote, “Its the historic crap that x11 is ruins things.”

    X11 is just great for computer labs and the like. It’s also good for arrays of displays. If you need more security than X11, what’s wrong with X11 over SSH?

  26. oiaohm says:

    Brillo
    “So you hoard the pages you get from Google. Gotcha.”
    Most I pick up from conferences and other sources. Not Google.

    By the way Crispin Cowan and me have never got along. If you go back over apparmor I pulled Crispin Cowan up over having holes in it design.

    Also Brillo please don’t be stupid.
    http://austingroupbugs.net/view.php?id=545
    Is my first report on the issue.
    http://austingroupbugs.net/view.php?id=553
    This is my second. I have listened I have altered to something more suitable.

    http://austingroupbugs.net/view.php?id=251 is where I started. Lets just black list chars and hope that no one creates a tool to write them to the file-system so causing files to be not accessible. This is not a sane solution to problem.

    This list I have taken on-board. From Crispin Cowan.
    “1 Can’t do learning mode
    2 Can’t do wildcards
    3 Sucks up huge loads of memory to do that much FS mounting (imagine thousands of bind mounts
    4 I’m not sure, but I don’t think you can do file granularity, only directorie”

    Point 4 fsnotify you will find me bringing the common system between dnotify and inotify into existence. This framework could be made better for per file. Again you will find me talking to the developer of that to fix up how to do per file filtering in user-space that leads to the fanotify framework. As yet we don’t have bfd or equal for doing this. Yes there is no reason why like seccomp filters uses bfd on syscalls why this could not be applied to the file system. This infrastructure for doing this from userspace has moved forwards.
    Crispin Cowan
    “I would much rather be discussing what that would
    require than arguing this impossible dream of One True File Access Control model, which will never happen in our lifetimes.”
    He may end up eating his words on this one. A bfd filter framework for applications file system access may in fact provide one True File Access Control model. A fully programmable File Access Control Model.

    Point 3 turns out to be false it done by systemd without a major overhead problem. Reason why it does not have a major overhead problem is the way cgroups and bind mount operate has been fixed for bind mounts so information between duplicate mounts could be shared. This was a Linux Kernel Internal bug that required fixing not a reason not to implement userspace LSM. That you will find me talking to the Cgroup makers about.

    Point 2 The can’t do wildcards still not sure on that until fully functional example is running I will not know fully but this is most likely false as well. This is the only point of Crispin Cowan that has lasted the test of time so far and appears like its not going to.

    Point 1 is also knowing to be false Learning mode is in fact false because you can catch a cgroup breach and alter cgroup and return to program same with using seccomp filters to monitor syscalls and update the profile Real-time same with fanotify.

    Brillo just because Crispin Cowan has a PHD does not mean he understands where security is going.

    So every arguement over userspace LSM like security that Crispin Cowan put up is mostly bogus.

    Brillo I did listen to him. I did take on his complains and I have gone and checked out if they are real. As you can see it appears that all Crispin Cowan arguments were bogus. This is why when people like you say I only google are so wrong. I do a lot of long term research. Items that you would not find on google easily are in my bookmarks.

    Crispin Cowan
    “For learning mode that would have to be a hook back to a LSM I would expect.”
    This statement is completely bogus. Was even back at the time of that post.

    Yes it was Linus who told me to join the cgroup mailing list. What I had back then there was not enough infrastructure to make it work and the infrastructure had bugs that need solutions first. Most of the cgroup solutions have appeared.

    The bug bare was how to filter syscalls and files without massive overhead. A chrome developer has solved the syscalls one using bfd filter its called seccomp filter and that idea most likely can be applied to filesystems. bfd filters was designed for network traffic so is very fast.

    Working apparmor comes after Crispin Cowan leaves it. Crispin Cowan hate me particularly because due to the issues with apparmor I pointed out Linus blocked it from being included in the main-line Linux kernel until they were fixed.

    Brillo really pulling up Crispin Cowan up against me you are foolish. A person who could not get his own LSM mainline due to defective workman ship.

    Yes its funny that Crispin Cowan wrote LSM (Linux Security Modules) interface. Yet he could not get his own included. It was the developer TOMOYO who listened to me and others on the examples of how to punch holes straight through apparmor and designed the file-system interface that prevents it. This eventionally was applied to apparmor allowing it to enter the Linux mainline. This was not applied to apparmor by Crispin Cowan because he had gone to Microsoft by then. Crispin Cowan with apparmor put ease of use above security very Microsoft trait that.

    Really Crispin Cowan is more pig headed than me.

    So saying that Crispin Cowan design a security system is a worry. History says Crispin Cowan is not good at it. Too pig headed not studying enough to write security systems.

    Brillo UAC there are many ways to make it silently approve. Yes its another classic case of a Crispin Cowan security invention. Policykit from freedesktop is a solid design.

    The X11 issue is why the Linux world has wanted to be rid of it and why there is so much force to bring in wayland. Most of the security control framework under on Linux are very well designed. Its the historic crap that x11 is ruins things.

    Here is a perfectly one why UAC is not good enough. http://www.petri.co.il/bypass-uac-using-desktop-shortcut.htm

    You can write a shortcut file. That says what privilege level you want a program to run at. Interesting enough you don’t need UAC approve todo this. Next is the program that create the shortcut can run it. Now to really top things off the shortcut can be referring to a exe file on a remote ftp server so causing binary to be loaded straight into ram. Even more fun you can pick the user that basically the same on all windows systems. SYSTEM even as a guest user on Windows. Yes it stops you if you pick go Administrator but not if you go SYSTEM. Yes as any user you can run as the Linux equal to root under Windows no approval required. Some applications use this in their installer under windows.

    Yes we have a major suid bit problem under Windows. Worse is that users can create there own suid bits in there own home directory and they work. Yes the lnk files you don’t even need special rights to create them. Linux suid in filesystem means you do need to either have the OS off line or high access or special access to the file-system somehow to create them at higher than your level in the first place.

    Basically instead of doing fancy stuff like UAC MS needs to be focusing on the basics of making sure users cannot create privilege lifting operations. Historic feature in linux and Unix fstab is the means to forbid suid bit on filesystems. Same way you can forbid sudo operations to users. There is no option in windows that says in a users profile directory there cannot be a lnk file that straights up raising privilege without displaying a message.

    For all the ways you can attempt to get into a Linux system straight up avoiding display a message at all is impossible without a defect. Yet it perfectly possible in windows without a defect.

  27. Brillo says:

    @PR

    Who is Crispin Cowan? An employee of M$… Worked on UAC… Sigh.

    If you give me two things to choose from – UAC or some dialog box running on top of X – give me UAC any day.

    @Oldman
    All of your windows “security” experience is limited to a desktop version of windows that is now over 10 years old and 2 going on 3 version behind and a server version of windows that is now 8 years old and 3 going on 4 versions behind.

    Whereas Cowan is a Ph.D. with 12 years of experience in computer systems security and an large array of recognized achievements under his belt within the industry. Maybe PR is just jealous?

    @Phenom

    What’s up, Pogson? The same guy who designed UAC designed core security mechanisms for Linux? How then claim that Linux is more secure than Windows?

    The real kicker is that the LKML archive is from 2007. Cowan joined MS in 2008. PR’s link also points out he is behind StackGuard, AppArmor and other things that lunatics such as oiaohom like to shout from the rooftops.

    @PR again

    …like much of the world uses, reluctant to take one more step on the Wintel treadmill.

    On the other hand, most Canadians still shop at Superstore, drink Starbucks and use Windows. What you are promoting here is call “anti-corporatism” and has nothing to do with the intrinsic value of the products.

    Also, “Wintel”… Are we still in 1995?

  28. oldman wrote, “All of your windows “security” experience is limited to a desktop version of windows that is now over 10 years old and 2 going on 3 version behind and a server version of windows that is now 8 years old and 3 going on 4 versions behind.”

    …like much of the world uses, reluctant to take one more step on the Wintel treadmill. A business must share some responsibility for its history. Selling the world a lemon does not entitle M$ to stay in business.

  29. Phenom says:

    What’s up, Pogson? The same guy who designed UAC designed core security mechanisms for Linux? How then claim that Linux is more secure than Windows?

    No one told oiaohm to stop being foolish in this thread.
    Quote from a further reply on the same thread:
    “You may well not be able to get the chip backin order without a hardware change/reboot”.

    In other words, Ohio’s idea is nothing but a wishful daydream.

  30. oldman says:

    “I’ve seen how wonderful their security is not.”

    Pog , the fact is that you have mad it very clear that you want as little to do as possible with windows. When faced with a “problem” with windows, more often than not you “solved” it via fork lift upgrade to the hackers crap distro that you prefer. At no point have I ever read that you made any substantial attempt to actually solve the problems that you encountered.

    All of your windows “security” experience is limited to a desktop version of windows that is now over 10 years old and 2 going on 3 version behind and a server version of windows that is now 8 years old and 3 going on 4 versions behind.

  31. Who is Crispin Cowan? An employee of M$… Worked on UAC… Sigh.

    I’ve seen how wonderful their security is not.

    No one told oiaohm to stop being foolish in this thread.

  32. Brillo says:

    Really LOL. LKML you will find that I did not have my models mixed up on there at all.

    I know something’s mixed up in your head but I ain’t sure if it’s the “models”.

    Google is not my most common source. My huge collection of bookmarks that is my most common source the information in there has been collected over time. Lets say I am collector.

    So you hoard the pages you get from Google. Gotcha.

    LKML you will find that I did not have my models mixed up on there at all. Ok a Idea I suggested was not liked. Funny thing is as time as gone on its has been implemented. Same basic design as I described.

    You mean like that URI-for-filename idea you tossed at the Austin group? Cute, I must say.

    In fact it was Linus who told me to go work with the cgroup developers and others because LSM would be better if it died out.

    If by “Linus” you mean “Crispin Cowan” and by “go work with the cgroup developers” you mean “stop being foolish“.

    Somewhere an asylum is missing a mental patient.

  33. oiaohm says:

    Brillo “Isn’t that your favorite source?” Google is not my most common source. My huge collection of bookmarks that is my most common source the information in there has been collected over time. Lets say I am collector.

    Brillo
    “The only thing that matters is whether the final product works or not. Any problem as a result of technical issues existing in oiaohm’s imagination is entirely pheriphral to the discussion.”
    The technical issue exists and its not my imagination it comes up in the sugercrm bug list quite a bit.

    The reality here is Brillo has just googled has not done the required steps of checking bug-lists to make sure that solution does not contain some nasty issues.

    Brillo
    “I ain’t gonna waste time with you on that. If the denizens at LKML can’t convince you that you have get all the security modelling concepts completely mixed up, what chance do I have?”

    Really LOL. LKML you will find that I did not have my models mixed up on there at all. Ok a Idea I suggested was not liked. Funny thing is as time as gone on its has been implemented. Same basic design as I described.

    Most people think that selinux is only Bell-LaPadula missing how to do Biba Model in it.

    Both models are clearly here documented on wikipedia.
    http://en.wikipedia.org/wiki/Bell%E2%80%93LaPadula_model
    http://en.wikipedia.org/wiki/Biba_Model
    –This security model is directed toward data integrity (rather than confidentiality) and is characterized by the phrase: “no read down, no write up”. This is in contrast to the Bell-LaPadula model which is characterized by the phrase “no write down, no read up”.–
    Biba Model of secuirty has nothing todo with preventing data being stolen.

    Note with Biba Model the no write up security levels. So in Biba you can read above your level and write that data down at a lower security access level. So the lowest level of break in can read all the way to the top. Funny part under Biba Model is you can write data where you cannot read it.

    A guest user in Biba Model can basically read everything. Under windows you are depending on the DAC to be set right to prevent users getting access to data they should not.

    Bell–LaPadula is about preventing data thief. That Windows does not implement. This is no read-up and no write down. So you cannot read above your security level and you cannot write the data at your security level to a lower security level.

    A guest user under Bell-LaPadula is truly restricted from access information on the system.

    This is what you want around data that confidentiality is a issue.

    Selinux implements both Bell–LaPadula and Biba Model based on configuration. Some cases you want to use Biba Model because you are after integrity protection and some you use Bell-Lapadula because you are after confidentiality.

    Some cases you use both Bell–LaPadula and Biba Model at the same time creating a no read down, no read up, no write down, no write up model. What is very simple only access data of your level no one else’s. You find selinux doing this around some services.

    In fact lot of configured selinux systems end up running in a different model to both. no read up, no write down, no write up on some services. This model does not have a formal name.

    There are basically 4 models you find in a selinux configured systems.

    Brillo really I don’t think you know your models at all. I was talking about on LKML about allowing the security framework to be implemented in user-space. The reality is what cgroups and seccomp filter and systemd are now doing as a group is doing exactly what I was talking about.

    The idea of userspace secuirty frameworks goes against what the LKML mailing list classed acceptable at that time. Brillo at least the guys on the LKML put sane arguments against it. Of course you will miss that I went and talked to cgroup developers and capabilities developers so my idea did progress forwards different paths.

    I did take on what the LKML developers did say and did change. Just you did not see it. In fact it was Linus who told me to go work with the cgroup developers and others because LSM would be better if it died out.

    Brillo writing models is no read up/down no write up/down and so on. You write what is forbid.

    Brillo
    “You mean the process or the progress? ;)”
    I do mean process. All the migrations that have worked what has been progress of the Linux Desktop since 2006 have followed the same basic process as documented in the IBM Redbook about Linux migration.

    Every Linux migration since 2006 to fail when you look at them you find they have not followed the IBM Redbook. So you can basically predict of company talking about a Linux migration will work or fail by comparing what they are doing to the IBM Redbook on Linux Migration. If it not inside what that book describes you can basically say it will fail so far that has been 100 percent.

    So yes there has be progress of the Linux desktop since 2006. But the process to migrate to a Linux desktop is the same process today as it was in 2006 and every other model tried has failed.

  34. Chris Weig says:

    In fact, best to use God model. Faith in God be unwavering, if true this, Linux installation never go bad. Should still happen 10 Lord’s prayers and two Rosaries fix problem immediately. Other interesting combo is: five Lord’s prayers, two Rosaries, and three Hail Marys, will destroy any Windows installation.

    Voodoo also promising for secure Linux.

    And: never forget letting Shinto priest consecrate Linux computer. Will never go bad then. Better than Shinto priest only real mahou shoujo, but difficult find since rare. Sometimes putting mahou shoujo as desktop background can be a help. But depends on NSFW factor.

  35. Brillo says:

    I’ll drop my commedic routine and just make this a quick one.

    Brillo is using google.

    Isn’t that your favorite source?

    I stated what the issue is. Result of using either is you are using two document processing engines that are not compatible one in MS Office one in Sugercrm.

    Irrelevant. The only thing that matters is whether the final product works or not. Any problem as a result of technical issues existing in oiaohm’s imagination is entirely pheriphral to the discussion.

    The process of migration has not changed since 2006.

    You mean the process or the progress? 😉

    Even so the Selinux and Apparmor to exceed MS windows 7 and 8 security around applications.

    I ain’t gonna waste time with you on that. If the denizens at LKML can’t convince you that you have get all the security modelling concepts completely mixed up, what chance do I have?

  36. oiaohm says:

    Brillo is using google.
    I have used http://www.insightful.com.au/sugarcrm/office-plugins/riva-crm-integration.html and http://www.sugarforge.org/projects/grinmarkoffice/

    I stated what the issue is. Result of using either is you are using two document processing engines that are not compatible one in MS Office one in Sugercrm.

    oiaohm comment 25
    “Reason is document conversion Sugercrm will reach out to perform this task to LibreOffice or OpenOffice.”

    I did state this point apparently you cannot read Brillo. The issue is using 2 processing engines not that you cannot the plugins it that it will cause you problems at some point.

    Just because you can do something does not mean you should do something Brillo.

    Brillo comment 27
    Document page 27 says, “The upcoming release of Windows Vista™ will significantly change how the
    Windows platform manages many security-related concerns from a user point of view.”
    This a pointless quote. There are other documents that compare current Linux Security to Windows 7 and 8.

    The process of migration has not changed since 2006. Some of the information in that book I did state as old.

    Even so the Selinux and Apparmor to exceed MS windows 7 and 8 security around applications. That is not allowing for the other security advancements in Linux since.

    The reality is Windows 7 and 8 still don’t implement proper multiple levels of security (MLS).

    Really this is not dumb Clarence Moon. This is moron Brillo not reading what he has been told.

    oiaohm comment 10
    “Published 2006 has not need updating since then. The key process has not required changing.”
    See back then I told you that it was old.

    Key process has not changed. Some of the information has changed. Not enough to justify rewriting the document. Like Windows 7 and 8 security still suxs improved a little but not enough to implement.

    http://blogs.technet.com/b/steriley/archive/2006/07/21/442870.aspx Welcome to Microsoft. We create Mic that control alterations we fail to control what can access and send the data else where.

    Selinux implemented both Bell-LaPadula model and Biba Model. So you can use what ever one is more suitable. Apparmor is Bell-LaPadula.

    Microsoft only implements a Biba Model. When you want to prevent data from being stolen for a business you want to use Bell-LaPadula so it cannot be read anything that does not need to. When you want to prevent damage you use the Biba Model.

    Biba Model does not help to prevent your credit card details being stolen and any other private information.

    Ideal security has both. So the security compare from 2006 is still valid Linux is still superior. Not as much. So minor-ally over plays the advantage.

    Brillo reality is MS solution has not caught up with selinux or trusted solaris from 2003 for security framework parts.

  37. Brillo says:

    –BEGIN OIAOHM-SPEAK–
    Dumb Clarence Moon not know Windows Vista is upcoming.

    http://www.redbooks.ibm.com/redbooks/pdfs/sg246380.pdf

    Document page 27 says, “The upcoming release of Windows Vistaâ„¢ will significantly change how the
    Windows platform manages many security-related concerns from a user point of view.”

    Clarence Moon RHEL 5 success migration will change way business works in 6 years. Fact is Linux will dominate businesses by 2012 and Mayan doomsday asteroid destroys Redmond.
    –END OIAOHM-SPEAK–

  38. Brillo says:

    –BEGIN OIAOHM-SPEAK–
    There is no plug-in for MS Office to integrate with Sugercrm that is perfectly safe.

    In fact plug-in so unsafe people sell it for money.

    http://www.insightful.com.au/sugarcrm/office-plugins/riva-crm-integration.html

    Some unsafe plug-ins marked mature scary I know.

    http://www.sugarforge.org/projects/grinmarkoffice/
    –END OIAOHM-SPEAK–

  39. oiaohm says:

    Clarence Moon
    “Linux and FLOSS in general is a tail chasing sort of endeavor that does not lead the market and so can only follow after most buyers have already become experienced with whatever sort of program that the FLOSSers are copying.”

    I told you guys to read the redbook http://www.redbooks.ibm.com/abstracts/sg246380.html Read document page 22 by document page 53 by pdf section 2.2 particularly in this case.
    “This book focuses on methods for migrating Microsoft Windows-based clients to Linux-based clients within a mainly Windows-based enterprise. But in general, the client migration is almost always part of a larger migration to open source
    software within the enterprise. This has to be taken into account when planning a client migration.”

    The key point here is “almost always part of a larger migration to open source software within the enterprise” The book skips over explain why.

    So now I will give you a real world example. Now you are running Sugarcrm for customer management. The best integrating Office suite is OpenOffice or Libreoffice.
    http://www.sugarforge.org/projects/crm4office/
    Stable works no issues.

    There is no plug-in for MS Office to integrate with Sugercrm that is perfectly safe. Reason is document conversion Sugercrm will reach out to perform this task to LibreOffice or OpenOffice. This is where issues can come from. Yes there are many plug-ins for MS Office for Sugercrm but they all do come back and bite you.

    Mind you the reverse is true as well using Microsoft Dynamics CRM using libreoffice to put documents into also risks hell breaking lose. Using two different document processing engines introduce more bugs to the production process.

    Yes the real o crap problem Clarence Moon. What you are using in server room has direct effect on what you should use on desktop.

    So if you server room is staying Microsoft your Desktops most likely will have to remain Microsoft. So people who use FOSS desktop as just cost cutting and keep MS Server and Products do end up calling the project a waste of time and money due to integration problems.

    The reverse can also be true. You change the server to Linux keep on Windows desktops with MS Software only you can also run into major integration problems.

    If you servers are going Linux depend on what software you place on the servers will define how much of the desktop can and should go Linux.

    The ibm redbook walks you threw the process. You might do the first stages in the redbook and find that you are too far bound to migrate anything to Linux. Or you might find that you have been kicking yourself in the teeth by using FOSS in server and MS Products on Desktop so causing incompatibility events.

    In most business 80 percent of operations can be performed on the FOSS desktop Clarence Moon.

    Chris Weig also go read the redbook get some understanding to the problem. Its not black or white answer. Linux with Windows can be the best possible choice for stability.

    Linux with Windows can also be the worst possible choice for stability if you try to make the wrong application interact with the wrong thing.

    IBM wrote the redbook about Linux Migrations for very good reasons.

    Clarence Moon and Chris Weig you are both trying to put a black and white answer on something that is shades of grey.

    Chris Weig 80 to 90 percent conversion possibility and being productive come from IBM, Munich and other studies into Linux deployments. There is a catch of course there is a requirement to deploy Linux in Server room at same time. Yes the conversion percentage is not made up.

    Clarence Moon
    “Mr. Pogson calls it “lock-in” and suggests that it is something malevolently introduced by Microsoft, but it is actually just the nature of all things in terms of product use and, consequently, marketing.”
    This is wrong. The Lock-in by Microsoft has been documented as being done Malevolently. Starting with the RTF standard between Office suites going on all the custom and exclusive protocols between their server products and their client software so excluding competition.

    Not part of out marketing the competition. You try using outlook with a standard webdav calendar server. It kicks you in the teeth. You have to install third party addon to use it. Basically MS makes outlook and says basically I don’t want connect to anything bar exchange.

    ADS provides a LDAP server right?? Yes it does except particular operations part of standard are broken interesting enough the historic operations to sync to another LDAP server so making ADS only sync effectively to other ADS servers.

    Clarence Moon just kick you in the teeth go read the EU anti-trust case document you find out that this was all intentional.

    Clarence Moon there is one thing to win by marketing its another to exclude your products from competition.

  40. Clarence Moon says:

    Unless the business is an accounting business, the vast majority of users of PCs don’t need an accounting software running on their PCs.

    People doing accounting of various types need accounting software, others do not. Even so, almost everyone who uses a computer thinks they need “something” and are already using that “something” to their satisfaction. If a new computer does not have that “something” available, the buyer is likely to think twice or more before buying a new computer that is missing what has been a key ingredient.

    That is the nature of such a mature product line as Windows computers that have established such a widespread set of expectations on the buyers who want to preserver their experience and investments. Mr. Pogson calls it “lock-in” and suggests that it is something malevolently introduced by Microsoft, but it is actually just the nature of all things in terms of product use and, consequently, marketing.

    Linux and FLOSS in general is a tail chasing sort of endeavor that does not lead the market and so can only follow after most buyers have already become experienced with whatever sort of program that the FLOSSers are copying.

  41. oiaohm says:

    Brillo I did state a exact book.

    “Linux Client Migration Cookbook, Version 2: A Practical Planning and Implementation Guide for Migrating to Desktop Linux” By book page numbers 1 to 45 at a min. So you get some basic overview of the correct process of a migration of part or all of a business to Linux. Of course some things have changed since 2006 when the book was done. This is the starting redbook for the Desktop process. There are other more targeted books for other problems.

    Really that Quackery site Brillo is out of date newer research causes some problems with the statements.
    Brillo suger in large dosages has been confirmed harmful.
    http://theconversation.edu.au/mondays-medical-myth-sugar-is-to-blame-for-our-obesity-epidemic-6078
    The research over suger and other things don’t agree with the statements. People are over dosing on things. Suger overdose will kill you by hart failure or diabetes along the way cause a host of other illnesses. Poor circulation in fact increase risk of cancer and so on.

    Water fluoridation is a interesting one its the overdoes problem.
    http://en.wikipedia.org/wiki/Fluoride_toxicity
    How to overdoes without knowing it with Fluoride. You drink water is has fluoridation & You have toothpaste that is High Fluoride containing(yes there a different levels of tooth paste) & you chew dental rated chewing gum(thinking you are doing a good thing) that also contains Fluoride & you have some tin food for tea/lunch that has used Fluoride as a preservative. Opps you have breached the medically safe daily intake of Fluoride in most cases if you did that.

    Basically toothpaste or dental chewing gum not both.

    Boiling water increases Fluoride dose per L of water. So if you only drink Boiled water you can be leading yourself into trouble particular-ally if you leave it boiling.

    Most people don’t know there are different Tooth pastes some are designed for people without Fluoride in water so have a higher Fluoride level. Really there are some that are not swallow should wash mouth out properly some of them.

    Water fluoridation alone does not do you in. In fact drinking water is not fluoridated you can still do self in. Just have too many Fluoride containing things and not be-aware that you have overdoesed your self. Some people think it just intermittent food poisoning. Basically gastrointestinal distress is one of the signs to beware that comes from intake of too much fluoride. So that upset belly happening a bit is really a sign to check what you are eating for the source items of this problem. Yes upset belly you need to check you Fluoride intake that you are not taking in too much of that. Along with other things like eating enough fibre.

    In fact people need to beaware that of is like drinking a lot of coke zero is not exactly a good idea to avoid suger either.
    http://en.wikipedia.org/wiki/Sucralose 9 milligrams per kilogram of body weight per day max safe intake.

    http://en.wikipedia.org/wiki/Acesulfame_potassium
    That is also in coke zero is not known to be safe some studies question how safe it is.

    Other diet drinks contain others artificial sweeteners with equal problems.

    So drop soft drinks. Don’t go diet version it might be worse than having suger. You can do physical activity to reduce be bad effects of sugar. Some of the artificial sweeteners they just may not be safe and that is the best data we have on them.

    Brillo basically the old saying everything in moderation is so true with food. Thing is knowing what is moderation and what is excessive.

    Brillo please in future hold back from quoting medical documents that are over 12 months old. What you quoted was 2005 medical data has moved on a lot since then.

  42. Chris Weig says:

    Unless the business is an accounting business, the vast majority of users of PCs don’t need an accounting software running on their PCs.

    That’s cute. So you plan to declare any software as expendable until you’ve arrived at the bare-bones OS which only needs a browser and, perhaps, LibreOffice? I thought it was the user’s choice to choose what she or he needs on her or his computer. What exactly are these enormous software repositories of the modern Linux distribution for then?

    Please refer back to comment no. 12.

  43. dougman wrote of businesses, “they do need accounting software,”.

    Unless the business is an accounting business, the vast majority of users of PCs don’t need an accounting software running on their PCs. Lots of businesses are small and still do their accounting with a spreadsheet. Others hire an accountant who digests the paperwork so there are some businesses who need no accounting software.

  44. Brillo says:

    For someone NOT caring about my supposed FUD

    Did I say in my post that I didn’t care about your “suppposed” FUD? Make no mistake here -preposterous claims like yours are the main reason I keep commenting here. Unless “supposed FUD” is a Freudian slip in your part admitting that LibreOffice is not the same in capability as MSO even if they could both read the same file formats 100% correctly, maybe you should consider working on your reading comprehension skill for, say, 10k hours? 😉

    Not sure where you were heading with the quackery note, are you implying that M$ Windows malware is just quackery?

    I don’t know where your 10k hours “expert” status came from but it’s pretty obvious to me that packet spoofing and cyber-bullying are neither malware nor Windows-specific problems, and that’s good enough for me to count your list as “invented diseases”.

  45. Chris Weig says:

    Not sure where you were heading with the quackery note, are you implying that M$ Windows malware is just quackery?

    Asks the quack doctor prescribing his “customers” things like “Hitman Pro”. Either you’re yourself a believer or you simply like to rip off your “customers”.

    Sure, malware etc. certainly does exist. But the quackery only begins when people like you want to make users — specifically: Windows users — believe that an attack on their computer is imminent the moment they connect it to the internet. And the quack doctor knows what to prescribe: anti-virus software, anti-malware software, second-opinion software etc.

  46. dougman says:

    Brillopad,

    For someone NOT caring about my supposed FUD, you so do make an effort to retort often enough, which leads me to believe that your MVP status is at stake.

    Not sure where you were heading with the quackery note, are you implying that M$ Windows malware is just quackery?

  47. Brillo says:

    On a related note, here’s a discussion on how quackery sells using scare tactics:

    “Another slick way for quackery to attract customers is the invented disease. Virtually everyone has symptoms of one sort or another—minor aches or pains, reactions to stress or hormone variations, effects of aging, etc. Labeling these ups and downs of life as symptoms of disease enables the quack to provide ‘treatment.’

    “Some practitioners claim to detect ‘deficiencies’ (or ‘imbalances’ or ‘toxins,’ etc.) before any symptoms appear or before they can be detected by conventional means. Then they can sell you supplements (or balance you, or remove toxins, etc.). And when the terrible consequences they warn about don’t develop, they can claim success.

    “Food safety and environmental protection are important issues in our society. But rather than approach them logically, the food quacks exaggerate and oversimplify. To promote ‘organic’ foods, they lump all additives into one class and attack them as “poisonous.” They never mention that natural toxicantsare prevented or destroyed by modern food technology. Nor do they let on that many additives are naturally occurring substances.

    “Sugar has been subject to particularly vicious attack, being (falsely) blamed for most of the world’s ailments. But quacks do more than warn about imaginary ailments. They sell ‘antidotes’ for real ones. Care for some vitamin C to reduce the danger of smoking? Or some vitamin E to combat air pollutants? See your local supersalesperson.

    “Quackery’s most serious form of fear-mongering has been its attack on water fluoridation. Although fluoridation’s safety is established beyond scientific doubt, well-planned scare campaigns have persuaded thousands of communities not to adjust the fluoride content of their water to prevent cavities. Millions of innocent children have suffered as a result.”

    So, Dougman – do you happen to have fed ducks over 10k hours?

  48. Brillo says:

    Only because M$ choose NOT to follow the XML ISO standard.

    Who cares? Even if LibreOffice can read .docx 100% correctly, it’s doubtful that people want to migrate to it.

    Office 2013 will finally fully support ODF

    Then what’s this?

    Besides, does anyone care?

    With M$, you are wide open to the following items

    All FUD and no substance.

    “Internet social engineering attacks”? Again, teach the kids to eat tree bark instead of get into the habit of washing hands before meals. That’ll work.

    “Network sniffers”? You mean a packet analyser or a port scanner? The former cannot be defeated without encryption in the traffic, and the latter cannot be stopped without a firewall.

    “Packet spoofing”? Yeah, because those ancient protocols for *nix (NFS, X, etc.) are sure as eff immune to those.

    “Session-hijacking”? Oh, please, do by all means tell me what magic pixie dusts Linux has to defeat man-in-the-middle attacks.

    “Cyber-threats & bullying”? Now you are just parodying yourself.

    “Automated probes and scans”? What do you even mean by “probes and scans”?

    “Widespread, distributed denial-of-service attacks”? Linux will automagically save you from those because…?

    “Industrial espionage”? Again, keep telling those kids to eat tree bark.

    “Executable code attacks”? People can write executable code to attack your computer? Wow!

    “Analysis of vulnerabilities in compiled software without source code”? Yes, compilers – how do they work?

    “Widespread attacks on DNS infrastructure”? Use BIND!

    “Widespread attacks using NNTP to distribute attack”? Just as you thought that “newsgroup” thing had already died along with the 90s…

    “Stealth and other advanced scanning techniques”? Perhaps you should look out for those sneaky ninjas with cameras inside your home, then.

    “Windows-based remote access trojans”? The ancient Greeks sure was technologically advanced. Seriously, though, do you even know what a “trojan” is as far as malware is concerned?

    “Email propagation of malicious code”? You mean you can use email to distribute malicious code? Far out!

    “Wide-scale trojan distribution”? One wooden horse full of sword-wielding intruders is bad enough. Do we need more of those?

    “Distributed attack tools”? You can distribute those “network sniffer” thingies? Oh, noes!

    “Targeting of specific users”? No wonder there are red lasers dots on me all the time!

    “Anti-forensic techniques”? One degausser comin’ up, hoooo-weeee!

    “Wide-scale use of worms”? Damn you, Robert Morris!

    “Sophisticated botnet command and control attacks”? What happened to the good ol’ days of simple botnet command and control attacks?

  49. dougman says:

    I have yet to see a business whose employees can cope only with an office suite and an email client.

    True to a degree, they do need accounting software, GnuCash works well for that and they just came out with beta Android version http://worldofgnome.org/gnucash-for-android/

    LibreOffice’s compatibility with Office documents is flaky at best.

    Only because M$ choose NOT to follow the XML ISO standard. Office 2013 will finally fully support ODF, Open XML, and PDF formats. Office 2007 and 2010 do support ODF documents.

    http://redmondmag.com/articles/2012/08/17/office-2010-xml-support.aspx

    http://techrights.org/2012/08/15/ooxml-neglect/

    Almost all viruses and malware are coded to take advantage of weaknesses in Windows.

    One only has to look at current malware, namely Flame, Duqu, Mahdi, Stuxnet, Gauss, Shamoon that affects infrastructural systems to see this statement is correct.

    With M$, you are wide open to the following items:

    -Internet social engineering attacks
    -Network sniffers
    -Packet spoofing
    -Session-hijacking
    -Cyber-threats & bullying
    -Automated probes and scans
    -GUI intrusion tools
    -Automated widespread attacks
    -Widespread, distributed denial-of-service attacks
    -Industrial espionage
    -Executable code attacks
    -Analysis of vulnerabilities in compiled software without source code
    -Widespread attacks on DNS infrastructure
    -Widespread attacks using NNTP to distribute attack
    -“Stealth” and other advanced scanning techniques
    -Windows-based remote access trojans
    -Email propagation of malicious code
    -Wide-scale trojan distribution
    -Distributed attack tools
    -Targeting of specific users
    -Anti-forensic techniques
    -Wide-scale use of worms
    -Sophisticated botnet command and control attacks

    Once you step out of the glass encased box, your foot print to actually getting infected from malware/virus drops significantly.

    Almost everything they did was word-processing and printing text and a few graphics, stuff LibreOffice could do easily.

    Agreed, current businesses are strapped for cash as it is. Once you start talking alternatives, offering demos and decent training. The light goes off in their head and people begin to open up to possibilities and drastic cost reductions in IT.

  50. Clarence Moon says:

    I have spoken with one personally when I was planning and implementing an Ubuntu GNU/Linux roll-out for a school.

    And what was the commission he received on that job?

    Probably zero, given your tightwad nature, Mr. Pogson. Also, there seems to be no such product as “Ubuntu Linux”, Gnu or otherwise. A comprehensive scan of the Ubuntu website shows only the term “Ubuntu” used as the product name. I think you’re trying to rub off some of their glory onto your sorry old Debian or whatever again, much like you do with Android.

    I find it hard to believe that Canonical has their own sales force covering the type of accounts that you say you are associated with in the Canadian wilderness. If they are paying people to do that, they must be paying them very little and they are not likely to be getting their money’s worth even then.

  51. Brillo says:

    Folks like SUSE even have applications you can run on each machine to do the job essentially completely.

    If it’s something you have to pay to get, it’s not in SuSE repository.

    Yeah, I have heard your story about putting GIMP on school computers – many times, in fact. Not a terribly reliable recount of the event, I am afraid.

    Also, there are volumes of “Redbooks” in IBM’s collection. Have you even thought about asking oiaohm which page or which chapter of which book he has gathered his information from? Or are you just so desperate to the point that you are OK with not verifying anything that comes across you so as long as it suits your argument?

  52. Chris Weig says:

    The one thing that makes GNU/Linux mainstream and essential is that there are huge numbers of users who just need one application to work like a browser for web applications so it is trivial to migrate them. […] In schools that fraction is higher than 90%. Businesses seem to quote 80%.

    Quoted for insanity.

  53. oiaohm wrote, “Linux deployment in business have been going on for a long time. Really there should be no excuse for screwing it up with how well documented it is.”

    Amen. Folks like SUSE even have applications you can run on each machine to do the job essentially completely. I have been blessed to have worked in schools where IT is rather simple and not locked-in so I could just move data and install. It’s hard to mess that up with networks and hardware being so reliable these days.

    The one thing that makes GNU/Linux mainstream and essential is that there are huge numbers of users who just need one application to work like a browser for web applications so it is trivial to migrate them. There’s no reason at all that every organization should not migrate those individuals. In schools that fraction is higher than 90%. Businesses seem to quote 80%. The closest I have seen to business use are offices in schools. The last place I worked had only one application locking them to M$ and they did not even use it. If they did they would only need it on one PC in the office and they had five. Almost everything they did was word-processing and printing text and a few graphics, stuff LibreOffice could do easily.

    Business use of PCs accounts for hundreds of millions of units. If 80% migrated to GNU/Linux, businesses would save $billions of dollars on the next iteration of M$’s treadmill and a $billion or two annually thereafter. Once that’s done, M$’s OS can be seen as a burden and migration to web applications can kill it off. It does take time/money to migrate to web applications but businesses will do that whether or not they migrate to GNU/Linux because it saves money either way. Eventually the 80% number will approach 100%. That’s why M$ diversifies like mad spending $billions on risky ventures hoping to win the lottery. They lost zune, Vista, the cloud, LANs and now “8”. The only thing sure is that their desktop monopoly is on its last legs.

  54. oiaohm says:

    Chris Weig IBM also publishes a white paper on the issue.

    “Linux Client Migration Cookbook, Version 2: A Practical Planning and Implementation Guide for Migrating to Desktop Linux” Link Robert Pogson gave.

    Published 2006 has not need updating since then. The key process has not required changing.

    Companies that have followed the IBM book method has not cost themselves extra money.

    This is the problem Clarence Moon and Chris Weig. How todo Linux migrations cost effectively has been documented since 2006.

    Problem here a lot of stupid buggers tried todo the wheel and attempted migrations against what the IBM Redbook recommends. Every party that followed the IBM Redbook has saved somewhere.

    I have read the Ubuntu guide its highly abridged but its mostly the IBM book reworded with the detail lost.

    Also http://www.canonical.com/about-canonical/resources/case-studies is a good place to visit Clarence Moon and Chris Weig before you say another thing.

    Ubuntu documentation is backed by the results of real deployments. Just like IBM’s is.

    Linux deployment in business have been going on for a long time. Really there should be no excuse for screwing it up with how well documented it is.

  55. Chris Weig says:

    The principles of migration which Ubuntu espouses apply to all GNU/Linux migrations, not just Ubuntu.

    Yes, that’s what I wrote. But you reprimanded me for bringing Ubuntu into this. See your post no. 3.

  56. Chris Weig spouting more garbage: “I’d say it’s very relevant. Because Ubuntu’s FUD arguments are really the same old, and lame, arguments that are known from sites like “Why Linux is better”. FLOSS is unimaginative on every conceivable level.”

    The principles of migration which Ubuntu espouses apply to all GNU/Linux migrations, not just Ubuntu.

  57. Chris Weig says:

    Nonsense. I wrote an article about migration and you respond with propaganda about Ubuntu. Ubuntu is not the end all and be all of GNU/Linux.

    Nonsense? You linked to Ubuntu’s “five golden rules for a successful Ubuntu desktop migration”. And in this document was a link to the aforementioned other Ubuntu ebook about the cost of migrating to Ubuntu vs. migrating to Windows 7.

    I’d say it’s very relevant. Because Ubuntu’s FUD arguments are really the same old, and lame, arguments that are known from sites like “Why Linux is better”. FLOSS is unimaginative on every conceivable level.

  58. kozmcrae says:

    And so the Cult of Microsoft try their very best to introduce uncertainty about a transition to FLOSS. They try and fail.

    Clarence Moon, Chris Weig and iLia, you fail because you are known to us. FLOSS is mainstream now. You are attempting to introduce uncertainty about something that is accepted as certain. You are fools.

  59. Clarence Moon wrote, “it is not even very certain that they actually have any at all”.

    They surely do. I have spoken with one personally when I was planning and implementing an Ubuntu GNU/Linux roll-out for a school.

  60. Clarence Moon says:

    Canonical just has the best salesmen.

    Read “only salesmen” and it is not even very certain that they actually have any at all. They do seem to have the most commercially acceptable package. If any version of Linux were to succeed on the desktop, it would be Ubuntu.

  61. Chris Weig wrote, “FLOSS propaganda (aka FUD) is alive and kicking.”

    Nonsense. I wrote an article about migration and you respond with propaganda about Ubuntu. Ubuntu is not the end all and be all of GNU/Linux. Canonical just has the best salesmen. I can set up a Debian GNU/Linux installation with none of the problems you cite. The last place I worked, Debian ran as smoothly on new AMD64 machines with 3 gB RAM as on 8 year old PCs with 256 MB RAM. I just skipped GNOME and used XFCE4. The feeble machines made great thin clients. The users of the old machines had better performance than the users of that other OS on the newest machines.

  62. iLia says:

    You don’t have to upgrade your hardware: Ubuntu’s lightweight footprint means it will run perfectly well on your existing desktops, even your oldest machines.

    I was pretty happy with my Celeron-1700 with 1Gb memory, until I installed Ubuntu.

    Even the most simple text editors, like Geany, worked terribly slow. The lag between a key is pressed and symbol appears on the screen is something about 1/4 second. The problem was resolved by installing LXDE.

    Gnome 3 simply doesn’t work. I have no idea why. Maybe my video card is too old.

    And why should I buy a new PC when my old one works perfectly and allows me to do whatever I need? Simply to be able to run Unity and other non optimized open-crap-ware?

  63. Chris Weig says:

    OK, so I downloaded Canonical’s other e-book, Crunch Time on the Enterprise Desktop, which was advertised in the e-book you linked to like so:

    Want to see just how much you could save with Ubuntu? Just download Crunch Time
    on the Enterprise Desktop and start building a business case today.

    On page 3 it is stated that migrating a single PC to Windows 7 in a 10,000 PC environment costs at least $1205 (that is the cost for replacing Windows XP on existing PCs). That number came from a Gartner press release. It’s not explicated in any way, and it’s — of course — false. Best Lucy Koh imitation: “Unless you’re smoking crack, you know that these numbers don’t add up.”

    Well then, let’s continue with Canonical’s top eight reasons “why Ubuntu is a better choice than Windows”:

    Anyone can use it: Ubuntu is an attractive, intuitive enterprise desktop OS that anyone can use (and customise to their own preferences).

    Wow! That’s a bold statement coming from a company who has single-handedly created the ugliest desktop environment ever. It’s also far from intuitive, as Unity’s copied-from-the-Mac paradigms have been implemented wrongly and many standard GUI paradigms have been botched in an effort to “better” them. Customization which goes beyond the very basic is not possible without third-party tools which are not pre-installed (and even for some basic customization you need third-party tools).

    It’s a smooth transition: Its familiar, easy-to-use interface means switching to Ubuntu is no more of a wrench for users than the shift from XP or Vista to Windows 7. And the move away from Microsoft can be done gradually: a dual boot option means you can run Ubuntu’s light-client desktop alongside Windows until users are ready to make the switch.

    Wrong. Vista and 7 provide the same usage paradigm as Windows XP, and Windows 2000, and Windows NT. It was exactly not disruptive. Unity is.

    Dual boot? Yeah, right. If dual boot is offered, people will boot Windows. And rightly so.

    It has everything many users will ever need: The LibreOffice suite – which comes with Ubuntu – has all the features of Office, and can create, open and handle Office documents when required. The Evolution email client, meanwhile, works seamlessly with Microsoft Exchange
    Server and offers the same email, calendar and task management features as Outlook. In fact LibreOffice is so user-friendly that many organisations opt to roll it out to users as a ‘first step’ in the transition away from Windows to Ubuntu.

    Canonical, please stop lying! I have yet to see a business whose employees can cope only with an office suite and an email client (perhaps in rural Australia, I don’t know). LibreOffice’s compatibility with Office documents is flaky at best. Evolution works anything but seamlessly with Exchange (our Exchange administrator at work is quite pissed because BYOD people ask him if he can fix their Ubuntu to allow Exchange access). Also, Evolution is no longer the standard email client in Ubuntu 12.04.

    You don’t have to upgrade your hardware: Ubuntu’s lightweight footprint means it will run perfectly well on your existing desktops, even your oldest machines. With Gartner estimating that
    hardware costs involved in a typical Windows 7 upgrade brings the total migration cost to at least $1,205 per user, that’s reason enough in itself to check out Ubuntu.

    Ubuntu is a resource hog. Read any Ubuntu forum, you’ll very soon read recommendations like: “You want lightweight, use Xubuntu/Lubuntu/other distribution”. False Gartner numbers are quoted again as justification, because Canonical assumes that every IT department is run by morons who don’t upgrade their machines regularly. BTW, when Windows 7 came out I installed it on a four year old off-the-shelf computer without upgrading (or having upgraded) anything, and it ran perfectly.

    It’s not susceptible to viruses: Almost
    all viruses and malware are coded to take advantage of weaknesses in Windows. They simply won’t run on Ubuntu, immediately decimating the amount of time, resource and expense you invest in
    protecting your desktops (not to mention cleaning them up if something nasty does strike).

    ROFL. The usual self-deception.

    It’s easy to manage: Canonical’s Landscape console makes Ubuntu easy to manage, either as your default desktop OS or in a hybrid environment alongside Windows PCs, Macs, smartphones, tablets,
    netbooks, thin-clients and anything else you use to make sure your organisation works in the best and smartest way possible.

    And Windows has, of course, no management tools available.

    It supports the way you work today: Ubuntu’s light-client approach means it’s ideal for netbooks as well as desktops, so your workforce can be as mobile as they like.

    Wow, I didn’t know that Windows 7 didn’t run on netbooks and desktops. Awesome hint, Canonical! I’m especially glad that you deactivated useful things like hibernation by default in 12.04, because you know they don’t work correctly. But who needs that?

    It’s free. The operating system, the LibreOffice suite and more than 30,000 other apps are all free, and always will be. If you like, you can deploy Ubuntu across your enterprise without paying a single penny. (Although we do recommend that you invest in enterprise desktop support and services from Canonical – that’s our business and we’re pretty good at it.)

    Oh yeah, “it’s free”!!! Except for all the other costs Canonical doesn’t want to talk about and the Cult of FLOSS ignores.

    FLOSS propaganda (aka FUD) is alive and kicking.

Leave a Reply