Replies

That article does have some rather significant omissions.

You actually can get open source software with support, service, auditing and extensive documentation. It might be more expensive than a package deal on a well-packaged closed-source product, since they don’t have vendor lock-in for future sales, but you can get it. Then again you can change support and customization providers later.

For the really security-conscious buyer, you want an independent audit on the source code and binaries with no NDAs, and that is usually only available on the open source side. Yes, this means you pay for it separately to ensure it’s really independent…

See, closed source side of things tends to have everything bundled together and monetized through just the software license, or license + ongoing support. Open source side, you don’t usually pay for the license at all, but then you’ll need to buy everything else separately or do it yourself.

 

This does tend to make open source particularly attractive to 1) those who can go with the do-it-yourself way, such as independent professionals and organizations that already have the abilities for that, and 2) large organizations that are concerned about continuity and security and have the resources to either buy independent auditing, software support and whatever services or assign an internal department to do that, such as governments and very large corporations.

Small and medium businesses in fields other than IT tend to be neither of those, but there are exceptions.

1 user thanked author for this post.

Bluetrix

Yes, this was a known possible avenue of attack already in January.

Firefox versions since then have a much-reduced timer resolution in the JavaScript engine to prevent this kind of thing, in Firefox 59 it’s 2 milliseconds… down from 5 microseconds in pre-Spectre releases. Interim versions have had resolutions like 20 microseconds (harder to attack but not completely secure).

The ZDNet article notes that too.

Actually, UNIX(r) is nowadays a very confusing mix of open and closed source, usually. AT&T System III descendants are closed source except for OpenSolaris (first release in 2008, discontinued in 2010; never a complete version of Solaris), but since origin of the software means nothing for the UNIX name, the different UNIX distributions don’t necessarily share any code at all. Inspur K-UX is both Linux and UNIX(r), for example.

Also non-UNIX Mac means MacOS 9, since OS X is both UNIX(r) and in large parts of the core system internals also open source, even though you can’t practically verify the installed binaries… and the user interface seems to be closed-source anyway.

So yeah, open source doesn’t necessarily mean much if you can’t verify the connection between the code and binaries.

 

As for what I use … whatever gets the job done, preferably within budget. Open source has the specific advantage that it’s easier to get it fixed if there’s a problem, at a previous job we had a building full of software developers anyway so if it was more efficient to have it fixed in house… …and we did have slightly tweaked versions of some tools because of that. (If it’s just an internal tool and doesn’t go into product deliverables, the source doesn’t have to be released even under GPL, remember)

1 user thanked author for this post.

Bluetrix

Um.

Do you mean software that can drive multiple physical writer devices simultaneously, or something that can make multiple projects concurrently and queue them on a single writer device?

Because, those two things may require substantially different tools, it’s a question of workflow… I’d expect that for material compilations one would first assemble everything on random-write media (a folder on the hard disk, say) and then burn the whole collection to sequential-write media (DVD)? Sure, that usually requires an image generation step immediately before writing to DVD, but that shouldn’t be a very long one on anything even sort of resembling modern hardware…

 

At least crdtfe ( https://cdrtfe.sourceforge.io/cdrtfe/index_en.html ) should be able to drive multiple writers simultaneously, and traditional command-line tools (which cdrtfe is a frontend for) should have no problems running multiple concurrent copies of the program as long as they’re writing into different devices or files.

As for commercial use – it’s open source with no restrictions in that regard. Distribution of working copies of those tools by themselves may potentially involve a weird legal problem regarding the definitions of “collective work” and “derivative work” between different open-source licenses that apparently no one bothers to take to a court, but everyone agrees that as source code it’s freely distributable…

What really is a bother when with a name-brand laptop with officially supported powered docking station, sold as a factory-bundled package and warranty extension… still drains battery while on mains power if running a heavy software load.

Yes, this is one of the big-name manufacturers, current model (high-end variant of a low-end product series). And apparently it’s a “feature”.

Apparently everyone should only buy the models that come with a 3-year warranty without any extensions, or something.

1 user thanked author for this post.

EstherD

I tend to see Dell Precision models as refurbs… and they do seem to be excellent value for money there.

I mean, with amateur photographers like my aunt and such… given that Precision laptops tend to have decent to excellent display panels because they’re portable graphical workstations. And the pro-quality display panel is one of the more expensive parts to get in a new laptop…

(Hm, did I misclick something? My reply seems to have gone missing…)

There’s a bit of a deal-breaker with Office 365 Home, though.
https://www.microsoft.com/en-us/Useterms/Retail/Office365/Home/Useterms_Retail_Office365_Home_English.htm

The service/software may not be used for commercial, non-profit, or revenue-generating activities.

I mean, can’t be used for hobbies, can’t be used to write job applications, most certainly can’t be used for anything work-related even if you work from home… (Mail your kids’ Scoutmaster from the Office 365 Home account? That’d be a non-profit activity.)

Hey, with a mainframe you at least should be able to know where it is…

Can’t properly do the resource control accounting with modern software, like you used to have with a mainframe timesharing or batch processing outfit. Would be refreshing though, to have people want to optimize again for less CPU cycles and less RAM pages on the monthly bill… sheesh, almost did that kind of accounting at a previous job a few times, but fortunately the bosses never actually wanted it. (Was a software development and testing department… testing more, or grinding out more CPU cycles for a better-optimized final product, really wouldn’t have been good things to penalize.)

Eh, if not for the security and compliance features the E* offerings would… I mean there’s Power BI Pro and the voice features, …  what else that doesn’t fall under security and compliance?

… what old network printer was it again that was found to run a full copy of some old commercial Unix version, complete with insecure rlogind, trivial root password and all? And of course no updates…

And of course PostScript is a fully Turing-complete language and comes with lots of capabilities, so a print job could do all kinds of things if…

(That line of McCann’s is at least 10 years off – I was seeing such fully-networked printers from 1995… in large corporations and institutions.)

 

Apropos of the Office 365 Home – are the terms of use the same everywhere?

Because, last time I looked, the Home version had some rather annoying restrictions on what it may be used for… then again I’d need to check with a lawyer to see if those are actually enforceable on “home” users.

Hm, would’ve been simpler for rule-based management if there was a dummy do-nothing 32-bit version to accompany the fix… oh well. Apparently there just isn’t a 32-bit version of KB4461585 at all, at least I don’t see a download location for such a thing…?

… well, if they were uncommon back with XP, I must have been particularly unlucky then. I certainly remember several of these. Particularly on laptops with external displays through docking stations.

Rufus, though, doesn’t do that by default. The author of the program seems to think that by only writing either a GPT/UEFI bootable or a MBR/BIOS bootable helps people ensure they start in the correct mode. I think it’s a bizarre and nonsensical argument, but the author doesn’t agree.

Having seen some of the problems that can come from relying on factory defaults on this – it’s sometimes necessary to enforce correct boot mode that way. (Laptop that defaults to legacy mode but requires UEFI mode to work correctly with the dock, for example.)

Also hybrid boot can cause weird issues on some systems, almost all of them old models – technically it’s almost always a firmware bug in my opinion but on most of the affected models there’s no fix available.

And, well, Rufus is sort of an advanced tool so you could make the case that it can require knowing things like that. Besides, making a hybrid boot is significantly more complicated anyway, so if the tool is useful without that capability…

1 user thanked author for this post.

Cee Arr

Of course, cutting compatibility with older updates, even if it’s for security reasons, has certain risks too… it’s just, which is the lesser risk here…?