% fortune -ae paul murphy

Responding to Readers

First: the missing MPG

My January 30th blog was about the boot time controversy. As various people pointed out this is really a complete non issue that somehow became a metric favoring Windows over Linux simply because Microsoft made the early appearance of the login screen a design goal for Windows/XP. What I tried to do was underline the absurdity of hanging a normative value on this by showing a Sun Ray going from power up to full login functionality in four seconds. Unfortunately Murphy's law kicked in, and the mpg wasn't made available to readers.

Here it is on my site; please be patient: it's on the end of slow dsl link. (And, if you're using Windows Media Player to watch it: download it first (or watch it a second time), otherwise it'll seem much longer than it is.)

A note to Carl

Gimme a break here, ok? you often see insult where none is intended and none is expressed. If you read my stuff a bit more carefully you'll see that when I do things like declare the average MCSE incompetent to run Unix it makes perfect sense: their certification is with respect to Windows, not Unix. The fault - and it's the most common form of idiocy I see in IT management- lies with bosses who think computers are computers are computers and therefore put MCSEs in charge of Linux implementations. That leads to mis-management, failures, and cost increases - duh, it's the same as if someone thought my accident free driving record gave me the hours in type needed to drive a 747: it doesn't, and in aviation no one makes that mistake, but in computing it happens every single day.

And yes, it does it cut both ways, but lets face it: as a group Linux people are more likely to be able to run Windows well than the other way around - after all, with Linux you spend most of your time learning to do things right the first time, with Windows you just spend most of your time doing things again.

And while I'm on the subject

Lets give no-axe a break too. There are talkback contributors I generally agree with (Roger, Carl when he's not feeling put upon, Zern, Erik, etc) and there are people like No Axe whom I generally disagree with, but it's often the disagreements that are most worthwhile. Read his comments carefully, and you'll see he's pretty consistent (wrong, of course, duh -:) ), but quite articulate and often able to contribute real value to the discussion. Remember: if you're going to comment, you need to focus on what was said, not on who said it, and that goes for everybody voicing contrary viewpoints -including defcon who (God forgive me for saying it) actually said something smart once.

Preying on LAMP

My blog on February Second was a comment on the core difference between the approach to security taken by the PC and Unix communities respectively. That drew a lot of comments many of which pointed out that the LAMP combination has a reputation for drawing a lot of attacks.

I'll be exploring this later, but off the top of my head I don't think this is anything more than a myth - in fact, a quick look at the numbers suggests that php and mysql vulnerabilities are much more easily exploited on Windows than on Unix. For example here's a line from an apache log on a server I administer showing a small portion of script kiddie attack aimed at a long extinct php vulnerability: - - [02/Feb/2006:04:31:53 -0500] "POST /xmlrpc.php HTTP/1.1" 401 465 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)

This one, by the way, was particularly interesting because this is a common attack but someone inside our own network was being very clever and interleaving his own much more focused attack inside the script kiddie one while faking in the script kiddie's nominal IP address on his own probes. Very cool really, except that it gave away his access to the NAT controller - a weakness that I think might eventually cost someone a job.

On the other hand, one of the happy truths about Solaris on RISC is that I could in fact put this target script and related software up and be at no more risk than I am without it - and I'm not sure the attack is effectively exploitable on a properly set up lintel machine either, but it would surely bring down a Windows box.

Data, Data, where can I get Data?

On February 1st I asked people for help in getting a handle on the real business costs of IE chauvinism. Somebody, somewhere, must have some applicable data... ?

Meanwhile the talkback contributions raised an interesting side issue. People who looked at their own results and commented generally seemed to put potential business losses from the use of non standard features (ie. as Roger would put it, from the use of MS Frontpage) at a much higher number than I would have guessed, with estimates of 20-25% being bruted. If that is in fact the right range, it may be that Unix users (including Mac users) are more likely than Wintel users to spend money via the web. To find out, of course, I need data...

And, of course, the people who say that doing it right costs no more than doing it wrong, are understating the case. I've consistently found that programming done to standards like those set by the W3C is less expensive to produce and maintain than programming done to proprietory interfaces and libraries because those change more often, more subtly, and with less documentation.

I gotta read the book

Talkback contributor Kirkaiya pointed out that Vernor Vinge's "Fire Upon the Deep" previewed my "modest proposal" on using cell technology in video conferencing by at least a decade. I think that's talkback reference I've seen to this book - so I got a copy and found that I'd read it years ago - but I'm reading it again now.

I have to admit, by the way, that I thought people would get all worked up over this one - but I guess trolling for hits just isn't going to work out for me -:)

From: "George Ou"
Subject: Trolling for hits?
Date: Thu, 2 Feb 2006 10:52:45 -0800
MIME-Version: 1.0
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
Thread-Index: AcYoKdqF11XandweSvWH0NsP9xVTHw==


Long on opinion, short on facts. This is almost as laughable
as Red Hat's and Secunia's defense of

Linux vs Windows; the performance debate

This drew a lot more comment than I expected - but Robert Crocker really hit the nail on the head when he pointed out that workload comparability is the key issue when applying these benchmarks to real world decisions. I agree wholly with that, but we don't have perfect benchmarks and there's still lots of unmined intellectual gold in what we do have. In particular, I've been looking at embedded processor benchmarks -and finding lots of reasons to think it takes two x86 cores to keep up with one PPC.

Some people talked about doing their own tests -and more power to them. I've thought about it but the interesting companies, including both Microsoft and Oracle, explicitly forbid benchmark result publication when you license their software so what would be the point?

And then there's this comment by Tracyanne:

Linux takes about 10 seconds longer to show a working desktop, I boot both Linux and MS Windows (XP) desktop machines everyday. But then MS Windows is still loading services well after the desktop has become usable, and on my development machine that means I can't access MS SQL Server for at least another 10 to 20 seconds.

And that, of course, brings us back to the missing mpg mentioned in the first line of this blog - and if I hadn't written all ten of these blogs before going skiing I'd certainly have quoted her instead of Mr. Bender last Monday.

Bottom line?

Thank you all, and it's back to old clothes and porridge - well, megahertz myths and Unix security mistakes- for me.... starting tomorrow.

Paul Murphy wrote and published The Unix Guide to Defenestration. Murphy is a 25-year veteran of the I.T. consulting industry, specializing in Unix and Unix-related management issues.