[clug] Any Public Service organisations using Linix desktop and
kim.holburn at gmail.com
Fri Jul 4 09:04:08 GMT 2008
On 2008/Jul/04, at 2:21 AM, Daniel Rose wrote:
> Kim Holburn wrote:
>> Would you trust your security to Microsoft?
> To some extent all of us do already, implicitly. If every instance
> of windows failed hard all at once, we'd all suffer somehow.
It is now thirty years since Robert T Morris planted a worm in the
which first bought the global network to its knees.
He was caught and convicted for (among other reasons)
"wasting system administrators' time" yet, as one commentator points
"Bill Gates walks free".
> Besides, a firewall is not the start and end of security.
No but it's an essential part of any multi-level security strategy.
> Kim I'm trying to argue with concrete examples as best I can and you
> give me rhetorical sound bites...
Look a real operating system has security built-in, not a third party
addition. If you can't run it out of the box then there's something
badly wrong, it's incomplete and "not fit for purpose".
>> It depends on your license scheme and Microsoft has a few.
> Yes; and some are simple.
It's always simpler if every seat has windows. If that's not the case
you often have to pay Microsoft as if it's the case.
>>> Other third party applications like photoshop don't fit that
>>> standard, true, but again, we package and deploy applications
>>> centrally so it's easy to automate a count of what software has been
>>> installed where.
>> I guess you've never had to deal with Matlab, lucky you. You get a
>> few apps with weird licensing restrictions like Matlab and you need a
>> full-time licensing compliance officer.
> Oh yes, probably, and IIRC there was another thread that explained
> that there was no FLOSS software as sophisticated as MatLab.
They're closer but you're right. Still Matlab does run on the 4 major
>>> If you don't have centralised management then this all becomes
>>> harder, and with FOSS there is less incentive/need to have it, but
>>> at some point there's a ROI for centralised management where it's
>>> useful from a general IT perspective, not just for tracking
>>> copyright infringements.
>>>>> While it's easy to put together a case for a cheaper FOSS
>>>>> environment, it's harder to make it cheap enough to justify the
>>>>> All change carries risk. In the short term there are big costs
>>>>> involved in the change, such as the IT staff turnover, and the
>>>>> required to make the changes. The "missing" or "broken"
>>>>> features of
>>>>> the new environment will be noticed by staff right away, whereas
>>>>> features and other benefits that FOSS might have will take
>>>>> longer to
>>>>> be discovered by each staff member without expensive training.
>>>> It's been a good MS line but they have shot themselves in the foot
>>>> with it over vista.
>>> How? Can you elaborate?
>> All the talk about how difficult and costly it is to change holds
>> as well for Vista as it does for FLOSS.
> No. Windows Vista client support Office/Outlook 2003 and Exchange
> and Active Directory just fine. I can swap out the OS and not
> expect to carry a lot of risk in integrating with the servers/
Strange about that. Windows systems just all work together, well
that's the theory anyway. Add in a FLOSS box and things just don't
work so well. As Dolly Parton once said: "It takes a lot of money to
look this cheap."
>>> Considering MS Office vs Open Office, because the new MS Office is
>>> more radically different from previous versions than ooo is, you'd
>>> expect that it'd be less trouble to move to ooo than to MS Office
>> Same point.
>>> However, it turns out that ooo is visually similar, but different in
>>> subtle ways, such as calc using ; and excel using , in formulae. Or
>>> is it the other way around?
>> Not to mention accuracy of calculations. Do you go with the
>> spreadsheet that is accurate or the one that gives you the same
>> results as Excel? In the US this is a SOX conundrum.
> So if the USA SOX people can't figure it out why should a Department
> of Grommits be expected to undertake the time and effort to do so?
> The problems we are discussing lie with DCITA, surely, and not any
> other Govt departments.
> On an unrelated note, It seems to me that DCITA could handle a root
> SSL certificate and get it added to firefox, and maybe IE also.
> Then all govt depts could get their certs signed by DCITA. Is this
> a workable idea? If we're forking over thousands per cert to Thawte,
> Verisign et al then surely this would be a sane thing to attempt.
> How hard is it to get a cert natively into IE? Do MS charge a lot?
Yes. It's a good idea. CACert is trying to do this at the moment -
well get their root cert into Mozilla. IE just requires vast hordes
of cash as I understand. Mozilla requires lots of stuff like audits.
If you add up everything, it's not cheap. You'd have to trust the
department to keep the root key safe;-)
On the other hand you're going to use all those resources to get a
root cert that's only relevant in Australia into software that goes
everywhere in the world. What if each country did that? How many
certs would you need, how much bloat would that create?
>>> Many places have existing in-house VB macros across a huge swathe of
>>> documents, some of which cost a lot to get external consultants to
>>> do, which is all completely unusable in ooo.
>>> Exchange server is very widely used which, as it turns out, FOSS
>>> software can only talk IMAP to. It is no mistake, IMHO, that the
>>> latest version of exchange will not allow access to public folders
>>> via IMAP.
>> Like I said, lock in.
> Like I said, we're locked in!
>>> Nor can I buy Outlook without buying Office.
>> License compliance, cost.
> Not really, they just don't sell outlook seperately. Not a
> compliance issue. I can install it seperately easily.
>>> You cannot go to the point man (or woman) responsible for all this
>>> and propose to change the whole lot, top to bottom, just to save on
>>> the software costs. The installation and training and lost
>>> productivity costs will cost more than you will save.
>> This year.
> Yes, and budgets are calculated annually so it's this year that's
> most important.
> And if you're going from "pilot" to full production with no
> significant downtime in twelve months then you'll need more staff,
> and more cost and you don't save.
> If you're trying to get staff to add this on top of existing
> workloads then it will take more than a year.
>>>>> In general, one could argue that in business you need to take
>>>>> to make money.
>> See I don't really agree with that for a start.
> Well these days neither do I, but that's the reasoning often
> proposed to justify capitalism. The middle man/Investor/Retailer
> has to put in effort or money in the beginning and in theory isn't
> 100% certain of selling anything.
>>>> Are you saying that Government departments should waste the
>>>> money? Not to mention force the public to use proprietary
>>>> systems to
>>>> communicate with them?
>>> I said the opposite, that they should not risk the money. If I were
>>> to play your game, do you think that all departments should just buy
>>> whatever's always cheapest?
>> Ummm, I'll bite, yes, that's a definite point of view. You would
>> certainly have to justify not doing that and the justification would
>> usually be based on cost, one way or another.
> Yes. Cost, one way or another, and risk carries cost, and change
> carries risk.
Every decision carries risk, including the decision to do nothing.
It's a tautology that doesn't really help.
>>> How far do you think you might have to shrink a department's budget
>>> before it will drop windows?
>> Department's budgets don't work like that. The more money they spend
>> the more they get. Cutting a department's budget after a certain
>> point just means they can't do their job.
> Exactly! So if they spend more on the "safe" Windows option, then
> they get more....
> In any case my point was that a move from windows won't be based on
> tight finances; the dept would keep windows and shed staff,
> conditions and heating/lighting first.
>>> I'm going to assume that the proprietary communications comment
>>> refers to the MS-Word file format. I think that an individual
>>> officer who refuses to accept an RTF document should be reprimanded,
>>> and an apology issued to the sender of the document. Other than
>>> that, were you referring to a different format or system?
>> I forgot about archiving. Government departments are supposed to
>> guarantee that all their business is conducted in a way that can be
>> archived for x years and still be viewed. I don't believe it's
>> been seriously addressed or that Microsoft Office comes close to
>> addressing it. The change to paperless transactions has sort of
>> up on us all, but it has already passed and much business is
>> Of course "the paperless office" doesn't mean what we thought it
>> mean back in the day.
> I think many use Trim or similar systems. How many years is x? If
> it's less than 10, office is fine for this regulation as the
> licences are untimed and the master media can last as long as this
> when stored properly.
> Unless you posit a future in which a windows XP-capable PC can't be
> found or emulated, or in which ooo won't be runnable on any
> platform, then office file formats can be read for the short term.
Archivists talk in much bigger numbers than that. Look, I can go to
the British Naval Archives and read stuff from the 1700's. The
Vatican archives go a lot further back. This is a seriously big issue
that no-one has really addressed. Well, lots of people are working on
it... Hey, you should know that, the NLA digitised the papers of
Edmund Barton from 100 years ago. But those papers are still readable
by anyone without expensive equipment (if you don't count education).
>>>>> 4) Government regulation (again, not the right way things should
>>>> Why not? Regulating say that document standards must be open in
>>>> sense that there must be at least 2 completely different office
>>>> that can read and edit the same documents, a second source in other
>>> The government shouldn't be regulating that "There must be two
>>> office suites", IMHO. Besides, ooo fits this description already.
>>> Or they could regulate that the public must be able to
>>>> interact with a department without using Microsoft products.
>>> They already can; phone, fax, HTTP, email, in person.....
>> etax? and I'm sure there are many other examples.
> etax is optional! And I'd trust wine to run it; I'll let you know!
I have run it in wine. That's not the point. ATO's advice is that
you need windows. It would or should be relatively simple to port it
to Linux or Mac.
> There may be other examples but I can't think of any.
>>>> The regulation simply needs to stop MS forcing its monopoly, not
>>>> only on
>>>> the department but on everyone who has to deal with it.
>>> It's not as simple as you state here. The monopoly isn't forced on
>>> anyone in the way you insinuate.
>> I didn't talk about the way, so I didn't insinuate anything. You
>> a good example though. The latest version of exchange somehow blocks
>> FLOSS clients, fancy that.
>>> I don't us MS at work or home and I interact perfectly well by web
>>> and email with everything I've come across.
>> Until your work puts in a sharepoint server?
> ActiveX controls in sharepoint are optional, the system is still
> very slick without them.
Wiki is good. There's a lot of competition.
>>> Disability access standards probably already impose mechanisms for
>>> the access you are talking about.
>>>> You could also say that the Australian government should be using
>>>> local developers at least as part of the software they use rather
>>>> outsourcing the whole thing to a single US company. Regulation
>>>> doesn't have to be anti-Microsoft, it just has to mandate real open
>>>> and interoperable standards.
>>> Do you mean open as non-patented, EG OGG vs MP3, PNG vs GIF?
>> I don't believe GIF is patented any more.
> Nor do I.
>>> Our ISO group voted for the new MS "standard" to be adopted as
>>> official didn't they? Or did I get that wrong?
>> Sad, but still not adopted yet.
>>> Anyway, since much of the Govt uses software from places like Tower
>>> or Blue Duck and other local software houses then we already do
>>> that. Lots of software is written here. We don't "outsource"
>>> Windows production to the USA, we just buy what they were making
>>> You can't really mandate the existence of a standard, and you can't
>>> mandate its use unless it exists. If you mandate a specific
>>> standard in each area, you remove the freedom of choice from
>>> sysadmins and developers.
>> You can mandate lots of things. You have been talking about how
>> Microsoft software is essentially mandated in much of the government
>> and business. How come it's OK to mandate Microsoft but not FLOSS?
> No I didn't! I said it's installed, not mandated.
> Linux can be put on the desktop in lots of places:
> Home user: Fine.
> Small Business: Fine.
> Medium Business with good planning: Fine
> Brand new Govt Department: Fine!
> The problem is that with existing departments with existing staff
> and data, it's probably more expensive to change that the money it
>>> Is PNG always best, for example? And if the patented standard is
>>> free of charge to use and technically superior, must we use an
>>> inferior protocol because of ideology?
>>> Where would this leave Aussie Innovators? Patent and you're frozen
>>> out of .gov.au, don't patent and your ideas get "stolen"(!) by other
>> I hate it when people use "patents" and "innovation" together. Show
>> me how patents have contributed anything to innovation? Read about
>> the Henry Ford vs. Selden case and explain to me how patents do
>> anything except stifle innovation.
> We have to go along with the pretense! You can't sell to govt if you
> go around saying stuff like that, you may as well try to sell bombs
> to defence that don't explode in case you hurt someone.
That's not a bad idea. I read an article recently about an idea to
coat bullets with antibiotics - the trouble is it points out the
absurdities of our contradictions.
> If Australia doesn't participate in the US Patent scheme then we
> will lose money, and for now at least we have a society that relies
> upon money.
>> Almost all of our scientific and mathematical progress has come
>> because science and maths use a collaborative model, essentially the
>> same as a FLOSS model.
> Yes, but generally people don't buy formulae, they buy items.
That was true in mathematics until computers came along. A program is
essentially a formula.
>>> The CSIRO own patent 5,487,069, for 10GHz WiFi.
>> They own one of the essential patents on 802.11 too, for all the good
>> it's done them.
>> 10GHz? It's really a kind of long range, high bandwidth bluetooth as
>> I understand it. So your neighbours will be able to see what you're
>> watching on your TV. A solution looking for a problem.
> Just trying to point out that some Govt depts will be stuffed if you
> mandate "no patents".
I don't think that the patent system will be going away in a hurry but
some of the extensions that happened due to court cases could go
away. ie software patents.
Oh yeah, let's chuck out 2000 years of scientific progress and go with
a basically untried system and one that really doesn't cope with the
speed of modern collaboration. (Sorry it really annoys me).
>>> Don't forget that a lot of the TCO is in common. The arguments that
>>> are 100% in a home or small business or not-for-profit jut don't
>>> scale to 1,000 (or 100,000) Dells on a three to five year refresh
>> And v.v. and it all changes if you change the number of years in the
> Then you need to talk to the people who make the finance rules, and
> now you're changing the way that assets are depreciated in order to
> fit an ideological agenda.
> If FLOSS needs so much massaging of the laws to get a toehold,
> perhaps it's not so amazingly good as it it needs to be. Yet.
>>>>> 6) A whole new approach from vendors. Tentatively.... I can
>>>>> a single FOSS vendor with FOSS-savvy staff who can sell, supply
>>>>> manage the lot under an outsourced model, with generous contracts
>>>>> and maybe even money in escrow. This would not necessarily be
>>>>> profitable for the vendor, but if you have a big backer (Canonical
>>>>> haven't made profit yet, as I understand it) then a department
>>>>> agree. This means hardware, OS, software, helpdesk, firewalls,
>>>>> VOIP, network monitoring and reporting, email, the entire IT setup
>>>>> as a commodity. I think if you can do this, and deliver on
>>>>> to add or fix things the department thinks are missing or broken,
>>>>> then they might say yes. The idea is to extract the residual
>>>>> between the high risk that CIOs might think FOSS has, and the low
>>>>> risk that FOSS experts are confident that it doesn't have.
>>>>> I'm not sure that you can make much money though, especially if
>>>>> FOSS experts want salaries comparable with tho
>>>>> se offered by the private sector to do more interesting work!
>>>> I don't see why it needs to be a big change in the way they work
>>>> for a change in OS.
>>> Because the OS being proposed is a big change. If it was Windows <-
>>>> Mac it wouldn't be such a big deal, Mac has Office and Entourage.
>> Why is it a big change? It's just software.
> FLOSS isn't "just" software, surely?!
>> The big change is that
>> most parts of FLOSS interoperate with other parts. You aren't
>> to one vendor for everything. Other than that it's just software.
> ... but Govt depts don't want software, they want reliable
> communications, reporting, etc etc.
> most parts of MS interoperate with other parts. I don't have to
> deal with weird drag and drop or copy/paste uncertainties.
> FLOSS apps integrate badly in the GUI, compared to the CLI.
I can't argue with that.
>>> With Ubuntu the OS means a cascading set of changes through the
>>> whole system.
>>> Even the xen virtual server management tool only comes as a windows
>>> This is a bit what Novell are trying to do, hold the hand, be
>>> reassuring, take on all the risk.
>>> They fail to do it well though, because they come across as too much
>>> the same, and they aren't cheaper enough, and because they have
>>> proprietry (closed even IIRC) extensions for the AD/Exchange
>>> integration they get it all wrong.
>>> Overall I'll assert that there's not a Government department in the
>>> country that hasn't got linux in it somewhere, as long as I can
>>> count Zauruses and routers and servers and so on, but Linux on the
>>> desktop is probably limited to technical staff, and at the moment
>>> there are good reasons for that, IMHO.
>>> I don't like MS and I don't like Windows, and it's not that there's
>>> no collaboration or email or whatever software for Linux, it's more
>>> that if you want Linux on the desktop at the department of Grommits,
>>> then it needs to be a success, and I don't think it will be without
>>> gutting the place and going 100%, I have strong doubts about the
>>> viability of a hybrid model for general staff. And a complete refit
>>> is risky and expensive, and there's no clear benefit to the
>>> management of Grommits, which is what the department's really for.
>> You going to get complete refits every now and then whatever.
> No, not server hardware and desktop hardware and OS all at once,
> even a full DR Scenario after a fire keeps the same OS version.
> A greenfields site would be good, or one that's not got some of the
> big blockers (essential VB code, exchange server), but departments
> work on rolling deployments in order to minimise risk.
>>> And having said all that, if you think MS has a monopoly lock-in
>>> now, wait and see what it's like when Sharepoint really takes off.
>> Ahh sharepoint. How's it doing so far? It's been around for a
>> With FLOSS you can put bits in here and bits in there and they
> Well that's not true, MS offer APIs for all kinds of stuff, and
> plenty of companies earn money writing addons which integrate using
> these APIs. I can add on software from all over the place. There's
> more software packages available for windows than for Linux.
>> With Microsoft it all becomes suddenly "risky" to
>> change anything away from Microsoft because it's all locked in, with
>> as much work to force that lock-in as to make it work. Each upgrade
>> somehow disables all the competitive products from interoperating
>> it. Risk?
> Risk is low so long as MS stays viable, and now that Linux exists as
> a fall-back option, the risk of staying with MS is reduced, if
> anything, because I know that there's another option on standby if
> MS software ever becomes unavailable.
IT Network & Security Consultant
Ph: +39 06 855 4294 M: +39 3494957443
mailto:kim at holburn.net aim://kimholburn
skype://kholburn - PGP Public Key on request
Democracy imposed from without is the severest form of tyranny.
-- Lloyd Biggle, Jr. Analog, Apr 1961
More information about the linux