Monday, 27 January 2003
9:50 - Heads-down writing again this week. I have several chapters in progress and want to get at least a couple finished up and off to my editor. That means my posts here will likely be sporadic and short.
Tuesday, 28 January 2003
9:47 - Still churning away on chapters, with not much else to report. I should have two or three more chapters posted on the Subscribers' page by the end of this week or early next.
Wednesday, 29 January 2003
7:56 - Someone forwarded me this, with the note "Read it all". At first I took it for a spam...
10:52 - Still churning away on chapters, with not much else to report. Thanks to everyone for bearing with me...
I'm a member of the Dorothy-L mailing list, which is frequented by mystery authors and mystery readers. One of the authors, a woman, posted a question to the list. She's trying to write a male character and
To which I responded:
As I once said to my wife, it's almost a secondary-sex characteristic. A person is unable to fit into a pair of pants. If it's a man, he says, "These pants are too small". If it's a woman, she says, "I'm too fat".
A woman judges herself using the world around her as a yardstick. A man judges the world around him using himself as a yardstick. For example, I am about 6'4" tall and weigh 240 pounds (give or take 20 pounds). I consider anyone smaller than me "small" and anyone larger than me "large". Someone about my size is "normal" or "average" (and, yes, I know that if you want to get technical I'm actually much larger than average, but I still consider my own size normal or average).
That, incidentally, is the reason nearly any man when describing the size of his wife or girlfriend to a female sales clerk says, "she's about your size". We're not trying to be funny. We really do consider all women to be "small" and therefore of about the same size.
Can a man be concerned about his weight? I suppose it's remotely possible, although very unlikely. If a guy goes to the doctor after a heart attack and the doctor tells him he'd better lose 50 pounds or he's going to drop dead, the guy might think about dieting. But probably only think about it. Barring jockeys, boxers, and other men for whom their weight is significant for some external reason, I can't imagine that most men even know what they weigh.
There were several responses on-list, but the more interesting ones were off-list. A couple of people said they found my response amusing. For example, one said:
That's the curse of my life. When I'm totally serious, people think I'm kidding, and when I'm kidding people think I'm totally serious. It does have advantages when playing cards for money, though. What surprised me was that a couple of people, one a man and one a woman, were offended. They claimed I was sexist. I didn't think so, but then being a man I use myself as a yardstick, and my self-image is that I'm not sexist. So there.
This from Mark Huth:
My own opinion is that Fred Langa is full of it. He's comparing apples to oranges in several respects. First, although technically "Linux" is only the kernel of the GNU/Linux operating system, I think it's fair to use the word Linux to encompass the kernel plus the GNU utilities. What's not fair is to compare basic Windows against Linux plus the thousands of separate applications that come on a set of "Linux" distro CDs. If Langa wanted to be fair, he could compare the full Red Hat 8.0 Linux distro against, say, Windows XP plus the 2,000 most popular Windows applications.
Most of the security flaws Langa counts against "Linux" are in fact security flaws in unrelated applications that just happen to come with the CDs. If my Linux CDs come with half a dozen web server applications, a dozen mail server applications, a dozen email clients, half a dozen full office suites, and so on, why should flaws in any of those count against Linux? If you compare the core operating systems directly, say Windows XP Professional versus Red Hat 8.0, you'll find that the Linux OS has many fewer security holes, that those holes are much less serious and more difficult to exploit, and that the holes are patched very quickly, typically hours or days for Linux versus weeks or months for Windows. In terms of relative security, I'd say that if Linux corresponds to Fort Knox, Windows corresponds to a kid's piggy bank.
But it's not just security holes that are the issue. More important is the typical defaults for the operating systems. Linux is typically pretty secure by default (although there are exceptions, such as one famous Linux distro I won't name that by default configures the sole user with root permissions and no password), whereas Windows by default is pretty much wide open. I run Windows on many of my production systems, and I'm not in the least concerned about anyone breaking in or a virus/worm nailing me. I use a firewall, configure Windows to be as secure as it is capable of being (which is to say not very), and run mostly applications like Mozilla that are reasonably secure compared to such Microsoft applications as Internet Explorer and Outlook. I don't even bother to run anti-virus software routinely, because any email virus that arrives here starves to death before it can do anything nasty.
I have no doubt that a top-notch cracker could break into my systems and wreak havoc. But why should he? He won't gain much, if anything, and his efforts are better spent elsewhere. What's important is that the script kiddies and cracker wannabees can't compromise my systems. There are many thousands of them out there, but who cares? They can't hurt me. The only ones I have to worry about are the really skilled guys, and there aren't many of them. So I don't spend much time worrying about security, and I don't think others should either. Get a decent firewall, properly configured, get your OS and applications reasonably well secured, update them regularly as security patches are released, and do frequent backups, sure. But otherwise I don't see any point to worrying too much about security.
10:48 - I saw an article on CNN Tech about a website that was soliciting votes for a Patron Saint of the Internet. I visited that site, only to find that it was in Italian. What's truly strange is that I could pretty much understand it. Not perfectly, of course, but well enough to get the meaning of what I was looking at. I guess that's because I grew up with a lot of Italian friends, many of whose grandparents and parents spoke Italian at home, and because I took Latin in school. What's odd is that I'd have expected to have about the same level of comprehension of written Italian as I do of other Romance languages like French or Spanish, but for some reason I did much better with Italian.
I've been exchanging private mail with several people about Linux versus Windows security vulnerabilities. Most agree with me, some think I don't go far enough, but at least one thinks Langa has a point. My own position is unchanged. Windows is inherently insecure (as Microsoft executives have themselves admitted) and Linux is inherently very secure. Not as secure as some other operating systems that were specifically designed to be hardened against crackers, but secure enough (if properly configured) to be Good Enough for all but the most stringent security requirements.
Would I run a standard Linux box as my border router/firewall? Sure. I do that now. It's locked down a lot tighter than, say, a standard Linux desktop or server system would be, but it's a standard Linux box nonetheless. Even my older gateway system, a Windows NT 4 Workstation box running WinGate, was sufficiently secure for me to be completely comfortable with it. Roland Dobbins, who is no fan of Windows, once tested that NT4 box and concluded that it was "pretty secure for a Windows box", or words to that effect. Coming from Mr. Dobbins, I took that as a ringing endorsement. And my current Linux firewall is probably an order of magnitude more secure than the old NT4 box. Brian Bilbrey and Greg Lincoln have hammered it, and conclude that it's locked up pretty tight. That's good enough for me. Roland, Brian, Greg, et alia are part of a group I think of as "guys I wouldn't want to have mad at me". If they're satisfied, so am I.
Does that mean I'm secure in an absolute sense? Of course not. The only way to be secure in an absolute sense is to disconnect your network from the Internet, and even that leaves physical security as a concern. No computer anywhere is secure in an absolute sense. The computers buried in the basements of the NSA, not connected to anything, and protected by tiers of guards with automatic weapons are not secure in an absolute sense. But they're pretty damned secure. My boxes aren't as secure as that, but they're still damned secure.
The question is how secure you need to be and how much time, effort, money, and inconvenience you're willing to devote to reaching that level of security. It's analogous to your home. Do you have deadbolt locks? Probably. But chances are they're QuikSets or something similar. As it happens, given enough time, I can pick a QuikSet deadbolt. That means your home isn't secure against me. So perhaps you should replace the QuikSet deadbolts with Medeco locks. I can't pick those. (Well, actually, I've never tried to pick a Medeco lock, but I'm pretty sure I wouldn't be able to.) But Medeco locks are very expensive. They're also inconvenient, because when you want a spare key you can't just run down to the hardware store and have a copy made. If you install Medeco locks, you'll secure your home against me, but at a significant price in both money and convenience. Is it worth it?
To decide that, you have to decide the threat level, the value of what you're protecting, and the trade-offs in money and other costs. When it comes to securing your home, I'm a step above the equivalent of the script kiddies, but a step below the truly skilled crackers (locksmiths). You have to decide what the likelihood is that I (or a locksmith) is going to decide to break into your home. Most people would agree that it's not very likely. There are millions of potential break-in targets, and not all that many locksmiths. There are even fewer dishonest locksmiths. By installing the QuikSet deadbolts, you've protected yourself against the script kiddies. Unless you have a fortune in jewels at home (and it's public knowledge that you have it), it's probably not worth the effort to replace your QuikSet locks.
That's why I have QuikSet deadbolts on my home rather than Medeco locks, and that's why I don't worry too much about the security of my home network.
This from Bo Leuf:
10:57 - Just as I published the entry above, I checked my mail and was horrified to read a message about the Shuttle disaster. Losing one was catastrophic. Losing a second probably means the end of the STS program. There's speculation about sabotage, of course, by my guess is that it will turn out to be something more mundane. Mostly likely, a failure of the tiles that allowed the heat of re-entry to destroy the integrity of the airframe. My thoughts are with the families of the astronauts who died this morning.
Copyright © 1998, 1999, 2000, 2001, 2002, 2003, 2004 by Robert Bruce Thompson. All Rights Reserved.