The GPL3 is perfectly in effect under this scheme.
If I release source under the GPL3 and you use it in a Tivo-style box using this scheme, you still must release the modifications to that source, and you still must allow replacing it. Thus the GPL3 does exactly what it intended to do.
All you get with this is the ability to stuff your chunk of proprietary code into the device in such a way that it's protected, while still satisfying the requirements of the GPL3 part. Big deal. You can only do that if you developed it fully independently and it's not linked to the GPL3ed binaries.
Sure, but its fun making fun of the fact you are clearly a Stallman fanboy with no ability to think for yourself. Though its getting old now, and your 'arguments' seem to be more in the mold of denial.
Did Stallman steal your lunch money at school or something? Look, you're the one bringing up Stallman here.
The very fact that you think quoting some "Open source is better, yeah!" rhetoric is a logically valid argument means its no more use arguing with you...
If I was a Stallman fanboy, I'd be talking about *Free Software*, but I'm not. Also, I'm not quoting anything.
You seem to know (or at least think to know) Stallman's opinions on things better than I, as I have no clue what rethoric you think I'm quoting here.
Except the support contract doesn't end when the programmer leaves his job
Dude, what support contract? I'm talking about off the shelf software here. Like Windows, say. It doesn't come with any sort of support contract unless you buy it, and the EULA explicitly disclaims all warranty. This goes for 99% of the stuff on the market.
There are exceptions of course (like custom applications contracted by the customer), but 99.9% of normal people doesn't use anything of the sort.
Whatever you say Mr. Stallman. So the question is, do you think this because you are blinded by ideology, or the other reason?
What Stallman? Who mentioned anything about him? Can't you avoid having to resort to bringing up people who have nothing to do with the subject?
It's simple logic. All other things being equal (and they perfectly can be, because I'm not talking about any specific license here), the availability of source makes it much harder to sneak something nasty in. QED.
But you're not making any sense anymore anyway, because you're foaming in the mouth imagining me to be some adept of Stallman's.
And there are many more such OSS projects. Whats your point?
That your claim that commercial software somehow provides some sort of guarantee. You imply that when you say "Virtually every piece of commercial software has to be supported, which means you have to have a support staff looking at the code. [...]". Many companies DON'T have any dedicated support staff. When programmers are the support staff they can do whatever they please. If they put a trojan in, there's not going to be anybody over them watching.
Open source obviously has the advantage in that it is easier for third parties or users (in the rare cases where they have the knowledge and time) to verify what the program does.
Right, so we agree here.
But it also has disadvantages in that it is easier for someone dishonest or unskilled to participate in them, and there isn't anyone to hold accountable when a problem occurs
Disagree, it's neutral. Anybody can write software. Neither closed nor open source is inherently harder to write or publish. Possibility of collaboration isn't very relevant, I can work with somebody on a closed but free of charge program, or publish OSS and not accept anybody's patches.
(they are generally provided as-is without any guarantees).
Just like every piece of software in existence. Maybe with the rare exception of custom contracted coding, but that's not what we're talking about here.
There, I had to resort to name calling. Did that make it clear for you?
Yes, that you lost the argument, since you can't find anything better to say. Thanks for playing:-)
Virtually every piece of commercial software has to be supported, which means you have to have a support staff looking at the code. These guys will often find any vulnerabilities you left (debugging the software is kind of their job), and even the most rudimentary form of source control will have a way to determine who put in what code.
Nothing at all is stopping me from becoming an 1 employee company and selling software. That doesn't confer any magical safety benefits for the end users.
There are programs in wide use (especially shareware) made by a team of 1-3 people. File compression tools for instance. Moonpod, a company that sells games online has 2 employees. They manage fine.
Contrary to popular belief, Sony being forced to give away the product they usually sell for $10-$15 each costs them a lot of money. And of course you are forgetting they have to recall all existing rootkit CDs, which is always expensive. Again, the results of class action lawsuits never look great from the perspective of the individuals participating in the suit, but companies are hurt by them.
What, it's the piracy rethoric now? Look, it's data. They lose nothing by giving free stuff that costs about $0 to produce to people who probably wouldn't have bought it anyway (would you participate in the class action lawsuit then go buy another Sony CD?).
Trust me, its perfectly possible to set that up and be anonymous. Just because you can't doesn't mean someone with some reasonable level of technical skill can't. Yes, many OSS projects ensure they have enough information that they know who you are, but certainly not all. Its not hard to set up a sourceforge account with a free untraceable address from someone like gmail that you then only access from someone's open wireless network.
Right, and I can do that with a closed source app as well. Only it'll take more time to figure out what it does, and I can connect to a wireless AP once, upload by trojan to a bunch of download sites, then never appear again.
So you can more easily discourage an individual who can easily remain anonymous and who might not have any assets and thus be willing to risk it all if they did somehow get caught than you can a large corporation who you can file a class action lawsuit against? I think you are in denial.
No, you are the one thinking that incorporation somehow confers magical safety benefits. Seriously, look at the amount of outrage it took to get SOMETHING to happen. And the end results were really disappointing. Now if the judgement was paying $100 per sysadmin/user hour spent removing the crap from their systems, then maybe it would have made some effect.
You can bet that if some 16 year old kid did that to Sony they'd have come up with some damage figure in the hundreds of thousands of dollars at the very least.
And it's not like it changed anything either, see the junk made by Sony shipped with BioShock.
Ok, but if you want to be all elitist and dictate who is a computer user and who is not, why not go all the way and rule out all Windows users?
Because in my view, "user" involves using, and a computer as a general purpose device is something that you very reasonably expect anybody can install something on.
All normal people I've seen have lots of third party software. The most computer illiterate person I know has installed a music score editor, and seems to have filled the disk with stuff downloaded from kaazaa, at the very least. Certainly there's a lot more than that there, but I didn't investigate.
Also not a single person can seem to resist a bit of personalization as it's a "personal computer" after all. Hard to call it your own if you don't at least change the desktop background and download a couple cool screensavers.
If your company is selling software (otherwise it would irrelevant to the point) and you are the entire IT staff, then your company probably has problems.
Oh, it isn't. But you seriously overestimate the level of control going on in places. While I'd completely agree such a thing would be bad management, I'm pretty sure it happens quite a lot, too.
Times a lot of customers.
I don't think you understood it very well. Those albums are effectively free to Sony. They're downloads. The only people they lose a bit of cash on is the ones choosing the cash, and the terms seem to be done in such a way that taking the cash is the unfavourable proposition. 3 albums, or $7.5 and one album. Googling around, $7.69 is the price of a cheap one, and it's not hard at all to find one for $14 to $70.
So maximizing what you get out of it would mean going with the 3 albums option, out of the amazing catalogue of "over 200" of them.
Now certainly Sony will lose a bit of cash over this, but combining that not nearly everybody they screwed over will join the lawsuit, and that most of the settlement is effectively free to them (just like MS paying with MS software), they're getting off very, very cheaply.
First, you are assuming you can catch him, which is unlikely if he is an anonymous OSS developer. Second, that isn't how bankruptcy works. It is perfectly possible for someone to recover from bankruptcy. Third, it doesn't matter if the other party is a multinational or an individual, class action lawsuits don't return that much to each person in the suit.
Ok, if he's so anonymous, how did people to get to use his software in the first place? Generally distributions don't include software without an active and reachable developer. If you have a website, domain, email address, etc, you're reasonably easy to trace.
In other words, you wouldn't get a penny if this was an individual. So take your $7.50 and consider yourself lucky.
Not the point anyway. The point is to discourage bad behavior, and you can discourage a single person a lot more effectively than a corporation.
No offense, but the Windows users you know are not representative of the community as a whole. Many just use whatever they are given, and don't bother installing anything else unless they absolutely need it. If Windows users were always prone to download any app they could find, why would the EU be concerned about what software MS pre-installs on their OS?
That'd be one incredibly boring existence. Windows comes with very little that is useful.
What you say might apply to people who only very ocassionally use a computer for printing something, but those wouldn't be what I call normal users, just like I wouldn't call somebody who gets out their bycicle out once a year a cyclist.
Normal Windows users are generally knowledgeable enough to understand basic things -- such as how to find, download and install something, but not enough to understand concepts like security, phishing, the registry, how the Internet works even on a basic level, etc. How programs are created is an incredible mysterious black art to them, and it never comes to their minds that a program can be easily altered and redistributed. Surely Winamp is Winamp, even if you find on evilhaxx0r.com, or emailed by some random person to them.
These people will typically disregard precautions by telling you to stop being so paranoid, as "who'd want to break into my computer anyway?", assuming that people only ever break into things like banks and the pentagon as seen in the movies. Several people asked me whether I could break into a bank or the pentagon.
Attempts to explain that running programs sent in mail attachments are often fruitless, as they're really sure Bob would never send anything malicious.
Ok, your company sucks (either that or you are an arrogant prick who thinks all his coworkers can't do a thing when in reality they are just as capable as yourself). Whats your point? There are plenty of open source projects where the developers miss things as well (as I illustrated in my last post).
No, the company is simply small and doesn't concentrate on development. I double as the sysadmin. That's all the IT staff (me).
Not every company is some IBM-sized gorilla.
Boycotts are for sissies. If a commercial software program is found with a vulnerability, they will be the subject of a lawsuit. And then they will go back and check the records to see who inserted that code, and you will be caught red handed.
Vulnerabilities? I don't remember MS being ever sued for that, and they've had plenty.
Now how it goes with intentional rootkits, well, see below how that worked out.
Sony is currently facing class action lawsuits against them for rootkit incident. And they did get a lot of bad press, which certainly hurt their sales. The lack of criminal prosecution (so far) doesn't mean they got off cleanly.
Big deal. "Cost of doing business". The RIAA also gets lots of bad press, but they don't seem to be going anywhere. You can bet most people haven't heard of the whole debacle, the majority of them didn't understand it, a good portion didn't care, and most of them forgot about it by now anyway, since Sony is a well known brand and that obviously means they're trustworthy.
In comparison, a hacker who submitted a patch or started a project anonymously with such a vulnerability could get off without a scratch. And even if he did get caught, its highly unlikely that he would have the assets for you to sue him and recover any damages.
Yes, because people got a pile of money from Sony. Let's see, the settlement was: "Customers who exchange their XCP CD can either download three albums from a list of over 200 titles, or claim a cash payment of $7.50 and a free download of one album".
Such an incredible settlement! You can download 3 albums, from an amazing list of over 200 titles (probably 201, heh), and whic
Doesn't matter if it is the submitter of a random patch or the original developer. Either one could be anonymous. Yes, I am aware that is not the case with most large OSS projects, but they are not the ones I am worried about.
There's a difference of scale.
In the first case you have a developer who wrote the whole thing, got found out, and inexplicably managed to convince somebody to stay silent. This developer has the size on their side, because the chances of that people won't look very well at a 50K line program is much greater than that something will be missed in a 10 line patch.
I don't know the statistics here, but I'm guessing most Windows users don't install that much (intentionally, at least) that doesn't come with the computer.
You've not dealt with enough Windows users, I see. Most of them seem to install any crap they can find anywhere. Programs menu nearly always doesn't fit on the screen without scrolling. You can find things like Bonzi Buddy (installed intentionally!), every IM messenger in existence, tools like WinZIP, WinRAR, file sharing tools, MP3 players (winamp), CD ripping tools, Photoshop/3D Studio/Maya/whatever (mostly pirated of course), keygens for those (made by VERY reputable people), tons of screensavers, etc, etc.
Now most of those are legitimate, but you can bet the average user knows that Winamp is cool and popular, but doesn't think there's any reason not to download it from the first website they come across (which is fairly often not the official one).
But it doesn't end there, you can expect to find every cool plugin ever made for Winamp as well, which includes nice things like Wildtangent (spyware).
Then of course, not like using only "official" stuff is a guarantee of anything. See the Sony $sys$rootkit, delivered on original music CDs, and nearly every computer manufacturer ships the system preloaded with all sorts of crap (it seems Dell even shipped preinstalled spyware).
This one guy I know reformats his system every couple of months, because it must have about every form of spyware in existence. Ads popup at random, IE crashes for no reason, youtube works in firefox but not in IE, takes ages to boot...
It doesn't need to go in all distributions, just one or two. And it doesn't need to go in the official stable version for people to install it, many people use bleeding edge versions of distros.
That's not my point, my point is that while the Debian maintainer might not read all of firefox, the Red Hat one is probably not looking at exactly the same parts source. That a single person doesn't read it all doesn't mean that collectively, over time, people aren't going to get through all of it. And you don't need to read all of it either, suspicious things can turn out from grep or when debugging something.
"Easily" is obviously a relative term. Are you really suggesting people do this with all their open source software, all so they can avoid running something like AppArmor?
No, but this is prefectly possible for a distribution to do. End users shouldn't be compiling anyway. The distribution making sure their toolchain is good is enough.
Yes, there certainly are advantages to OSS, but thats not one. I'm fairly certain your chances of having your vulnerability being caught AND it being traced back to you are much greater when you put it in as an employee of a software company as opposed to an anonymous developer of a OSS project.
Uh huh. I work at a company (working on internal code though). I could put any crap I wanted there, and probably nobody would ever find out, because nobody else at the company is capable of reading the simplest code. There are many companies, some of which are too small to have any sort of review process, and some of which do this stuff intentionally and honestly don't give a damn. You can't even boyco
One big problem I see is that lots of code communicating with closed-source stuff like hardware, proprietary file formats, etc. will contain magic strings or binary blobs deemed necessary to work with the closed stuff. It would be much easier to hide malicious code in there and get it past reviewers' eyes...
What's this "lots of code" you're talking about? On a normal Linux system that's maybe the nvidia driver and that's about it, and somebody is doing work on an open version of it. File formats used by OSS are usually very well documented (excluding a few things like reading MS office files)
I beg to difer. A skilled programmer with malicious intent can be incredibly stealthy. While "good" code would likely just open a file by its full name, "bad" could would likely obfuscate it beyond recognition.
Right. And that bit of code looks obviously harmless. You'd obviously scroll right by it if you saw it in some package's source, because there's absolutely no chance anything odd would be going on in a piece of code like that.
I mean seriously, that SCREAMS that there's something odd there.
Here's the same challenge for you as for the other poster: Write some code that accesses some file it shouldn't, and does something with the data in it (writing it to a socket say) in such a way that you can't tell what's it doing without looking really well at it, and it looks harmless or to be doing something else.
This obviously excludes clear obfuscation, horrible formatting, encoding the filename in any way, hiding the file open by doing the syscall by calling int 80, etc.
Would it be difficult? Sure. But if you think it is impossible to hide an access to a file you are not supposed to see, you are obviously either new to writing software, or you lack imagination.
Ok, if you're so clever, provide an example of code that reads a file without making it easy to tell what it's doing, while avoiding looking suspicious.
Thats an example of why such activities should be rare in the commercial world, where the developer's name, address, social security number, etc., are all on record. But not in the world of many open source projects where it is perfectly possible for someone to be practically anonymous when they submit their patches.
Don't change subject. The original post was about a developer releasing "evil" code, then turning somebody who finds it to their side. Now you're talking about people submitting patches with somethind hidden in them. Completely different scenarios.
Most OSS projects don't blindly accept patches. Certainly not the ones in widespread usage. You might sneak a buffer overflow in, but to sneak an outright trojan would be seriously challenging. The submitter's anonymity isn't a problem if source is being examined.
Considering how many software packages a person typically has installed on their machine, that extra 1% is pretty dangerous. Yes, the official packages you got straight from the distro may all be fine, what about that new upgrade you went to that great new rpm repository your buddy told you about?
Stupidity exist everywhere of course, can't be eliminated 100%. But while for Linux users perhaps 1% of all software comes from unverified sources, for Windows users it's 99%. Just why exactly do you trust that say, Trillian isn't doing anything strange? Nobody but its developers really knows what's there.
You honestly think the owners of the distros look at all the source of each package they include? You must think they have no lives whatsoever.
Not all of it, but there are many distributions, which each look at different parts of the source. To sneak something in you'd need to be really sure that part won't get looked at by anybody, and that's hard. Developers watch mailing lists, talk to people who work on the project and use 'svn diff'.
I fail to see how that helps. How do you know the different compiler isn't the one with the Trojan? Its like if we were picking apples from a tree and I point out you have no way of knowing the one you just picked hasn't been poisoned, you throw that apple away and pick another one.
First you build gcc with icc. This is icc_gcc. Then you build another copy of gcc with gcc. This is gcc_gcc.
Now you have two gccs with different code generated by different compilers.
So now you take both of those, and build the gcc source with both icc_gcc and gcc_gcc. Both should generate the same code. If they don't, something's fishy.
You can easily this with more compilers and multiple versions.
I'm not saying don't use open source software. Just don't pretend it is immune to the problems that plague commercial software and forget about all precautions (like not running something like AppArmor, to tie this back to the original point) just because what you are running is under the GPL.
Well, I still think it can't be defined that the OSS approach is superior. It's not impossible to sneak something in. But in doing so you must take a very high risk of being found out, and if somebody tracks that back to you, well, chances are you're going to have to look for a new carreer. People with a known record of coding nasty things aren't very liked in the software world.
Ok, and if you were a spammer, where would you rather host your spam bot? On grandma's Win98 box connected to a modem that ocassionally comes online, or a big Linux/Solaris/whatever server on a DS3? Because while Linux may not be very popular as a desktop OS, it's certainly common as a server. And servers tend to have much better connections than a normal computer.
Linux in its default configuration has no open ports and can be installed safely without a firewall defending it. Can't say the same about many MS OSes. Certainly not Windows 9x, of which there's still a lot of copies running out there (and not supported anymore, thanks MS!)
Well, I just tried to ltrace it, it's interesting.
Lots of output, but no getpw or open in it, and before starting skype says "Binary file corrupted. Please reinstall skype". So can't get very far with ltrace.
Either ltrace screws something up, or skype intentionally makes it not work.
Skype is a realtime app (in both a2d and d2a directions). Interrupt statistics, CPU loads etc are vital for the app to decide what quality of encoding/decoding it can afford to do.
Why isn't it looking in/proc/cpuinfo then?/proc/interrupts doesn't contain any indication of how many interrupts can be serviced, nor the time it takes to service one, or the load caused by the interrupt, so it seems quite pointless performance-wise.
Best harmless use that comes to mind: Skype knows that device X and device Y create problems when sharing IRQ, and contains some sort of message to the user in that case.
First you assume that the person(s) that read it would catch anything evil in it. It's not like the evil code is necessairily going to be in a function called doEvil(), it could be very cleverly hidden among legit functions so that most people would miss it. With good obfuscation it wouldn't be hard to make something that people would have to play with a debugger just to figure out what is going on, and as such miss it on anything less than a really intense code audit.
This sort of "evil" is very transparent. You can code a hidden buffer overflow/exploit/backdoor in such a way that it's not obvious (= instead of == for example, caught in the Linux kernel once). But how do you hide an access to say,/proc/interrupts? You need to spell out the filename, and there's got to be an open or fopen for it somewhere. Any attempt to encode the filename is going to be weird and suspicious. Plus, file parsing would be quite a bit than a single line of code, so it's hard not to notice something is being read, stored, etc.
Second, you assume the people who look at it aren't in on it. So maybe a couple people look at the code and find the evil bits. They contact the developer and ask what's up. The developer then lets them in to his cabal, who can use the evil bits for their own ends. The people decide they like this and don't tell anyone. The people who read the code have to be honest for this to work.
Uh huh. Such a thing would be an outright admission of evildoing. Depending on what is being done it might be enough for a lawsuit, and definitely enough for mass publication all over the web to ruin the developer's name. Slashdot had a story on some Mac developer who claimed there was an anti-piracy check that'd delete the user's documents folder. Just the claim (which the developer says wasn't real and intended to scare people off) resulted in such outrage he's probably unemployable for years now.
No, anybody with any brains would deny any wrongdoing and claim a hacked server, or pretend that no mail is arriving at all.
Fourth, you assume that the binaries are the same as the source. I'm betting at least some of the time, and probably more often than that, you install things from a binary package. It's easy and much faster than compiling everything. Great, but how do you know the source follows the binaries? It would be easy to release an untainted source, and then tainted binaries. That the checksums differed wouldn't be of any note, since it could just be that different compile options were used, or even a different compiler (for example using ICC since it generates more efficient binary code). As such no source audit would ever turn up the problems.
But 99% of Linux software is delivered by the distribution, with the package maintainer often being completely unrelated to the developer. While it's not impossible for something weird to be going on, those distribution maintainers do things like patching the source and dealing with its bugs. You can bet that eg, the Debian maintainer of Firefox looked at the source.
Finally, even if you compile your own, you assume that nothing else is in on it. I'll refer you to the classic Ken Thompson story http://cm.bell-labs.com/who/ken/trust.html. Some other program, and not just the compiler, could be in on inserting a trojan. It might never exist in source form, yet always get compiled in. Thus even a build from a verified source isn't a defense.
That's a tricky one, but you can use a different compiler. Compile gcc with icc for instance. For OSS I think this approach is unlikely due to the frequence with which somebody decides "let's rewrite this part". It's easy to make a compiler that hiddenly changes some well known part of the source, but it's much harder to deal with a complete reorganization of it. To keep it up would need updates
Um, because it wanted to refer to you as using real name, which is the entire damn point of having the field in/etc/passwd? Or even your username?
Why would it need to? Skype has its own accounts, if it wants to refer to me by name it can use whatever I entered in my account info.
Or perhaps it's not even the thing doing it, perhaps it's using a shell script to see if the skype: handler is registered in Skype, and that script does 'ls -l' to check file sizes.
That'd be a stupid way of doing it, and I think AppArmor would have logged bash in that case. Or at least I hope it can tell the difference between what a program is doing, and what a program launched by another is doing.
What I'd be interested in figuring out is exactly the fuck confidential information people think is hanging out in/etc/password? We all know that there are actually no passwords in that file, right?
More than confidential, it's interesting why it's looking there. Especially the much stranger mozilla directories and/proc/interrupts. Add those things together and it's not hard to imagine that skype might gathering something from/etc/passwd like everybody's real names and reporting them. Now I have no clue if it actually does that, but given that Skype is already well known for doing strange things, some paranoia seems justified.
DNS stuff, it needs to connect to servers after all
/etc/passwd r,/etc/group r,
Maybe harmless. No passwords here, only lists of usernames and home directories. And RL names, if specified. As other people suggested, may be just being used to find something like the home directory. Might be used to gather stats on number of users on the system, names, etc. Probably not a huge deal unless RL names are specified, but still interesting.
/proc/1/cmdline r,
Command line for init. On my system contains only the runlevel. Not sure what's interesting to look at here, but it is quite unusual.
/proc/interrupts r,
Interrupt statistics. This would allow determining the number of CPUs, hardware present (from listed module names), activity levels of various devices. Potential for gathering hardware statistics. Not sure what would a legitimate use for this be.
Heh, but ls has a perfectly legitimate reason for it: Looking up account names. You can see that plain 'ls' doesn't open it, because the short format doesn't show usernames (now if it did in this case that'd be interesting as well). And if you still think it's suspicious you can get the source and look at it.
Now what exactly does skype need to know my or anybody else's account name for? I've got no clue, but I'd be very interested to find out.
Because for something as well known as Skype, somebody would be bound to read it at some point if it was open.
For example, I work on the Second Life source, and I and other people read quite big chunks of it. You can bet that the moment somebody noticed something fishy there'd be blog entries about it all over the web, and dozens of people looking at that and other parts of the source. And it'd have happened much earlier than if it was found by chance by some admin stracing or checking the logs.
In fact pretty much the first thing that people did when the source was opened was starting to think of interesting things to grep the source for.
Now that people like me have forks of the Second Life source, there are people who check the diffs for every new LL release when they merge the changes with their own. You can bet it would be pretty hard to sneak something into it in this situation.
Now how do you do that for a closed source program? You can't. You either need to be an uber-hacker who disassembles and decompiles things for fun, a paranoid sysadmin (unlikely too, who runs skype on a server?), or happen to notice something weird by chance and have the skill and knowledge to be able to figure out what a closed program is up to.
The GPL vs BSD "freedom" argument is really boring semantics. Whether the GPL is freedom, slavery, communism or whatever else you want to call it is irrelevant to me: It does precisely what I want, which is why I use it.
Suppose you have.2,.4,.7,.8 and.9, and want to make it louder by adding.3 to it. The maximum is 1.0. So you get: 0.5, 0.7, 1.0, 1.0, 1.0
Now how do you reverse the changes to those last 3 ones? They're all clipped at the top, completely identically. Information has been lost. This is precisely the problem.
Nobody, not even Linus can turn Linux into an unified system.
Imagine that Linus suddenly went and said (he wouldn't as he's interested in the kernel, but let's ignore that for the moment): Ok, let's do an unified system.
Now that's fine and all, but WHAT would this system be? Just which environment? KDE, Gnome or something else? Nobody would agree, and nothing would change. Maybe some group would appear trying to create Linus' vision, but everybody would be free to ignore it, and it'd be just yet another distro.
Let's suppose he goes with a more blunt approach and says: "I hereby as the Emperor of Linux say that Linux is officially Debian, and the desktop environment is KDE. All other organizations are required to disband, and the developers have to join my chosen ones".
Nobody would give a damn. Well, there'd be discussion for months about that kind of pronouncement, but other than that, not much would happen. Why would Ubuntu, Gentoo, etc obey somebody who doesn't hold any administrative power in their organization? Would Red Hat suddenly liquidate their company or throw their distribution out?
And if I decide I want to work on Enlightenment, and release my own distribution, who is going to stop me from doing that? Nobody.
Again, Linus, and everybody else is completely powerless to dictate anything to the community. We're not employees of a company. If I want to work on something I do, if I don't want to then I don't. This works for MS because Ballmer can say "Ok, this team will work on Vista, and this group has decided it's going to have features X, Y and Z, and that other one came up with this design for the UI. Now get coding." Obviously as MS employees they can't disagree if they want to stay employed, and they can't just fork it because the Windows licensing doesn't allow it.
But Linux is free, and a consequence of that freedom is that nobody can dictate anything to anybody else.
Your 'terrorist' idea though, that is one scary idea. While I think the term has been beaten to death by Bush and the media, that would definitely cause it. Lets hope they realize in the end it would still spread to their people, too. Hopefully they have some sense of survival and self-preservation.
I don't think this is terribly likely, as if the disease was bad enough to cause an epidemic, it would have had already, even without the terrorists. An epidemic probably needs the right disease: something with the right set of incubation time, lethality, symptoms, etc which make it spread very widely. Something that kills very fast wouldn't spread for example.
But supposing such a thing appeared, it'd probably spread just fine without terrorists, as there are plenty stupid people who will ignore any attempt to quarantine it.
Slashdot Mirror
The GPL3 is perfectly in effect under this scheme.
If I release source under the GPL3 and you use it in a Tivo-style box using this scheme, you still must release the modifications to that source, and you still must allow replacing it. Thus the GPL3 does exactly what it intended to do.
All you get with this is the ability to stuff your chunk of proprietary code into the device in such a way that it's protected, while still satisfying the requirements of the GPL3 part. Big deal. You can only do that if you developed it fully independently and it's not linked to the GPL3ed binaries.
Did Stallman steal your lunch money at school or something? Look, you're the one bringing up Stallman here.
If I was a Stallman fanboy, I'd be talking about *Free Software*, but I'm not. Also, I'm not quoting anything.
You seem to know (or at least think to know) Stallman's opinions on things better than I, as I have no clue what rethoric you think I'm quoting here.
Dude, what support contract? I'm talking about off the shelf software here. Like Windows, say. It doesn't come with any sort of support contract unless you buy it, and the EULA explicitly disclaims all warranty. This goes for 99% of the stuff on the market.
There are exceptions of course (like custom applications contracted by the customer), but 99.9% of normal people doesn't use anything of the sort.
What Stallman? Who mentioned anything about him? Can't you avoid having to resort to bringing up people who have nothing to do with the subject?
It's simple logic. All other things being equal (and they perfectly can be, because I'm not talking about any specific license here), the availability of source makes it much harder to sneak something nasty in. QED.
But you're not making any sense anymore anyway, because you're foaming in the mouth imagining me to be some adept of Stallman's.
That your claim that commercial software somehow provides some sort of guarantee. You imply that when you say "Virtually every piece of commercial software has to be supported, which means you have to have a support staff looking at the code. [...]". Many companies DON'T have any dedicated support staff. When programmers are the support staff they can do whatever they please. If they put a trojan in, there's not going to be anybody over them watching.
Right, so we agree here.
Disagree, it's neutral. Anybody can write software. Neither closed nor open source is inherently harder to write or publish. Possibility of collaboration isn't very relevant, I can work with somebody on a closed but free of charge program, or publish OSS and not accept anybody's patches.
Just like every piece of software in existence. Maybe with the rare exception of custom contracted coding, but that's not what we're talking about here.
Yes, that you lost the argument, since you can't find anything better to say. Thanks for playing
Nothing at all is stopping me from becoming an 1 employee company and selling software. That doesn't confer any magical safety benefits for the end users.
There are programs in wide use (especially shareware) made by a team of 1-3 people. File compression tools for instance. Moonpod, a company that sells games online has 2 employees. They manage fine.
What, it's the piracy rethoric now? Look, it's data. They lose nothing by giving free stuff that costs about $0 to produce to people who probably wouldn't have bought it anyway (would you participate in the class action lawsuit then go buy another Sony CD?).
Right, and I can do that with a closed source app as well. Only it'll take more time to figure out what it does, and I can connect to a wireless AP once, upload by trojan to a bunch of download sites, then never appear again.
No, you are the one thinking that incorporation somehow confers magical safety benefits. Seriously, look at the amount of outrage it took to get SOMETHING to happen. And the end results were really disappointing. Now if the judgement was paying $100 per sysadmin/user hour spent removing the crap from their systems, then maybe it would have made some effect.
You can bet that if some 16 year old kid did that to Sony they'd have come up with some damage figure in the hundreds of thousands of dollars at the very least.
And it's not like it changed anything either, see the junk made by Sony shipped with BioShock.
Because in my view, "user" involves using, and a computer as a general purpose device is something that you very reasonably expect anybody can install something on.
All normal people I've seen have lots of third party software. The most computer illiterate person I know has installed a music score editor, and seems to have filled the disk with stuff downloaded from kaazaa, at the very least. Certainly there's a lot more than that there, but I didn't investigate.
Also not a single person can seem to resist a bit of personalization as it's a "personal computer" after all. Hard to call it your own if you don't at least change the desktop background and download a couple cool screensavers.
Oh, it isn't. But you seriously overestimate the level of control going on in places. While I'd completely agree such a thing would be bad management, I'm pretty sure it happens quite a lot, too.
I don't think you understood it very well. Those albums are effectively free to Sony. They're downloads. The only people they lose a bit of cash on is the ones choosing the cash, and the terms seem to be done in such a way that taking the cash is the unfavourable proposition. 3 albums, or $7.5 and one album. Googling around, $7.69 is the price of a cheap one, and it's not hard at all to find one for $14 to $70.
So maximizing what you get out of it would mean going with the 3 albums option, out of the amazing catalogue of "over 200" of them.
Now certainly Sony will lose a bit of cash over this, but combining that not nearly everybody they screwed over will join the lawsuit, and that most of the settlement is effectively free to them (just like MS paying with MS software), they're getting off very, very cheaply.
Ok, if he's so anonymous, how did people to get to use his software in the first place? Generally distributions don't include software without an active and reachable developer. If you have a website, domain, email address, etc, you're reasonably easy to trace.
Not the point anyway. The point is to discourage bad behavior, and you can discourage a single person a lot more effectively than a corporation.
That'd be one incredibly boring existence. Windows comes with very little that is useful.
What you say might apply to people who only very ocassionally use a computer for printing something, but those wouldn't be what I call normal users, just like I wouldn't call somebody who gets out their bycicle out once a year a cyclist.
Normal Windows users are generally knowledgeable enough to understand basic things -- such as how to find, download and install something, but not enough to understand concepts like security, phishing, the registry, how the Internet works even on a basic level, etc. How programs are created is an incredible mysterious black art to them, and it never comes to their minds that a program can be easily altered and redistributed. Surely Winamp is Winamp, even if you find on evilhaxx0r.com, or emailed by some random person to them.
These people will typically disregard precautions by telling you to stop being so paranoid, as "who'd want to break into my computer anyway?", assuming that people only ever break into things like banks and the pentagon as seen in the movies. Several people asked me whether I could break into a bank or the pentagon.
Attempts to explain that running programs sent in mail attachments are often fruitless, as they're really sure Bob would never send anything malicious.
No, the company is simply small and doesn't concentrate on development. I double as the sysadmin. That's all the IT staff (me).
Not every company is some IBM-sized gorilla.
Vulnerabilities? I don't remember MS being ever sued for that, and they've had plenty.
Now how it goes with intentional rootkits, well, see below how that worked out.
Big deal. "Cost of doing business". The RIAA also gets lots of bad press, but they don't seem to be going anywhere. You can bet most people haven't heard of the whole debacle, the majority of them didn't understand it, a good portion didn't care, and most of them forgot about it by now anyway, since Sony is a well known brand and that obviously means they're trustworthy.
Yes, because people got a pile of money from Sony. Let's see, the settlement was: "Customers who exchange their XCP CD can either download three albums from a list of over 200 titles, or claim a cash payment of $7.50 and a free download of one album".
Such an incredible settlement! You can download 3 albums, from an amazing list of over 200 titles (probably 201, heh), and whic
There's a difference of scale.
In the first case you have a developer who wrote the whole thing, got found out, and inexplicably managed to convince somebody to stay silent. This developer has the size on their side, because the chances of that people won't look very well at a 50K line program is much greater than that something will be missed in a 10 line patch.
You've not dealt with enough Windows users, I see. Most of them seem to install any crap they can find anywhere. Programs menu nearly always doesn't fit on the screen without scrolling. You can find things like Bonzi Buddy (installed intentionally!), every IM messenger in existence, tools like WinZIP, WinRAR, file sharing tools, MP3 players (winamp), CD ripping tools, Photoshop/3D Studio/Maya/whatever (mostly pirated of course), keygens for those (made by VERY reputable people), tons of screensavers, etc, etc.
Now most of those are legitimate, but you can bet the average user knows that Winamp is cool and popular, but doesn't think there's any reason not to download it from the first website they come across (which is fairly often not the official one).
But it doesn't end there, you can expect to find every cool plugin ever made for Winamp as well, which includes nice things like Wildtangent (spyware).
Then of course, not like using only "official" stuff is a guarantee of anything. See the Sony $sys$rootkit, delivered on original music CDs, and nearly every computer manufacturer ships the system preloaded with all sorts of crap (it seems Dell even shipped preinstalled spyware).
This one guy I know reformats his system every couple of months, because it must have about every form of spyware in existence. Ads popup at random, IE crashes for no reason, youtube works in firefox but not in IE, takes ages to boot...
That's not my point, my point is that while the Debian maintainer might not read all of firefox, the Red Hat one is probably not looking at exactly the same parts source. That a single person doesn't read it all doesn't mean that collectively, over time, people aren't going to get through all of it. And you don't need to read all of it either, suspicious things can turn out from grep or when debugging something.
No, but this is prefectly possible for a distribution to do. End users shouldn't be compiling anyway. The distribution making sure their toolchain is good is enough.
Uh huh. I work at a company (working on internal code though). I could put any crap I wanted there, and probably nobody would ever find out, because nobody else at the company is capable of reading the simplest code. There are many companies, some of which are too small to have any sort of review process, and some of which do this stuff intentionally and honestly don't give a damn. You can't even boyco
What's this "lots of code" you're talking about? On a normal Linux system that's maybe the nvidia driver and that's about it, and somebody is doing work on an open version of it. File formats used by OSS are usually very well documented (excluding a few things like reading MS office files)
Right. And that bit of code looks obviously harmless. You'd obviously scroll right by it if you saw it in some package's source, because there's absolutely no chance anything odd would be going on in a piece of code like that.
I mean seriously, that SCREAMS that there's something odd there.
Here's the same challenge for you as for the other poster: Write some code that accesses some file it shouldn't, and does something with the data in it (writing it to a socket say) in such a way that you can't tell what's it doing without looking really well at it, and it looks harmless or to be doing something else.
This obviously excludes clear obfuscation, horrible formatting, encoding the filename in any way, hiding the file open by doing the syscall by calling int 80, etc.
Ok, if you're so clever, provide an example of code that reads a file without making it easy to tell what it's doing, while avoiding looking suspicious.
Don't change subject. The original post was about a developer releasing "evil" code, then turning somebody who finds it to their side. Now you're talking about people submitting patches with somethind hidden in them. Completely different scenarios.
Most OSS projects don't blindly accept patches. Certainly not the ones in widespread usage. You might sneak a buffer overflow in, but to sneak an outright trojan would be seriously challenging. The submitter's anonymity isn't a problem if source is being examined.
Stupidity exist everywhere of course, can't be eliminated 100%. But while for Linux users perhaps 1% of all software comes from unverified sources, for Windows users it's 99%. Just why exactly do you trust that say, Trillian isn't doing anything strange? Nobody but its developers really knows what's there.
Not all of it, but there are many distributions, which each look at different parts of the source. To sneak something in you'd need to be really sure that part won't get looked at by anybody, and that's hard. Developers watch mailing lists, talk to people who work on the project and use 'svn diff'.
First you build gcc with icc. This is icc_gcc.
Then you build another copy of gcc with gcc. This is gcc_gcc.
Now you have two gccs with different code generated by different compilers.
So now you take both of those, and build the gcc source with both icc_gcc and gcc_gcc. Both should generate the same code. If they don't, something's fishy.
You can easily this with more compilers and multiple versions.
Well, I still think it can't be defined that the OSS approach is superior. It's not impossible to sneak something in. But in doing so you must take a very high risk of being found out, and if somebody tracks that back to you, well, chances are you're going to have to look for a new carreer. People with a known record of coding nasty things aren't very liked in the software world.
A good deal of which have ISPs that block outgoing connections on port 25, which isn't a problem for servers.
Ok, and if you were a spammer, where would you rather host your spam bot? On grandma's Win98 box connected to a modem that ocassionally comes online, or a big Linux/Solaris/whatever server on a DS3? Because while Linux may not be very popular as a desktop OS, it's certainly common as a server. And servers tend to have much better connections than a normal computer.
Linux in its default configuration has no open ports and can be installed safely without a firewall defending it. Can't say the same about many MS OSes. Certainly not Windows 9x, of which there's still a lot of copies running out there (and not supported anymore, thanks MS!)
Well, I just tried to ltrace it, it's interesting.
Lots of output, but no getpw or open in it, and before starting skype says "Binary file corrupted. Please reinstall skype". So can't get very far with ltrace.
Either ltrace screws something up, or skype intentionally makes it not work.
But it doesn't do that. I just made a new user account, ran skype, and starting creating a new skype account. Skype leaves the full name field blank.
Why isn't it looking in
Best harmless use that comes to mind: Skype knows that device X and device Y create problems when sharing IRQ, and contains some sort of message to the user in that case.
This sort of "evil" is very transparent. You can code a hidden buffer overflow/exploit/backdoor in such a way that it's not obvious (= instead of == for example, caught in the Linux kernel once). But how do you hide an access to say, /proc/interrupts? You need to spell out the filename, and there's got to be an open or fopen for it somewhere. Any attempt to encode the filename is going to be weird and suspicious. Plus, file parsing would be quite a bit than a single line of code, so it's hard not to notice something is being read, stored, etc.
Uh huh. Such a thing would be an outright admission of evildoing. Depending on what is being done it might be enough for a lawsuit, and definitely enough for mass publication all over the web to ruin the developer's name. Slashdot had a story on some Mac developer who claimed there was an anti-piracy check that'd delete the user's documents folder. Just the claim (which the developer says wasn't real and intended to scare people off) resulted in such outrage he's probably unemployable for years now.
No, anybody with any brains would deny any wrongdoing and claim a hacked server, or pretend that no mail is arriving at all.
But 99% of Linux software is delivered by the distribution, with the package maintainer often being completely unrelated to the developer. While it's not impossible for something weird to be going on, those distribution maintainers do things like patching the source and dealing with its bugs. You can bet that eg, the Debian maintainer of Firefox looked at the source.
That's a tricky one, but you can use a different compiler. Compile gcc with icc for instance. For OSS I think this approach is unlikely due to the frequence with which somebody decides "let's rewrite this part". It's easy to make a compiler that hiddenly changes some well known part of the source, but it's much harder to deal with a complete reorganization of it. To keep it up would need updates
Why would it need to? Skype has its own accounts, if it wants to refer to me by name it can use whatever I entered in my account info.
That'd be a stupid way of doing it, and I think AppArmor would have logged bash in that case. Or at least I hope it can tell the difference between what a program is doing, and what a program launched by another is doing.
More than confidential, it's interesting why it's looking there. Especially the much stranger mozilla directories and
Heh, but ls has a perfectly legitimate reason for it: Looking up account names. You can see that plain 'ls' doesn't open it, because the short format doesn't show usernames (now if it did in this case that'd be interesting as well). And if you still think it's suspicious you can get the source and look at it.
Now what exactly does skype need to know my or anybody else's account name for? I've got no clue, but I'd be very interested to find out.
Because for something as well known as Skype, somebody would be bound to read it at some point if it was open.
For example, I work on the Second Life source, and I and other people read quite big chunks of it. You can bet that the moment somebody noticed something fishy there'd be blog entries about it all over the web, and dozens of people looking at that and other parts of the source. And it'd have happened much earlier than if it was found by chance by some admin stracing or checking the logs.
In fact pretty much the first thing that people did when the source was opened was starting to think of interesting things to grep the source for.
Now that people like me have forks of the Second Life source, there are people who check the diffs for every new LL release when they merge the changes with their own. You can bet it would be pretty hard to sneak something into it in this situation.
Now how do you do that for a closed source program? You can't. You either need to be an uber-hacker who disassembles and decompiles things for fun, a paranoid sysadmin (unlikely too, who runs skype on a server?), or happen to notice something weird by chance and have the skill and knowledge to be able to figure out what a closed program is up to.
The GPL vs BSD "freedom" argument is really boring semantics. Whether the GPL is freedom, slavery, communism or whatever else you want to call it is irrelevant to me: It does precisely what I want, which is why I use it.
Of course they do.
.2, .4, .7, .8 and .9, and want to make it louder by adding .3 to it. The maximum is 1.0. So you get: 0.5, 0.7, 1.0, 1.0, 1.0
Suppose you have
Now how do you reverse the changes to those last 3 ones? They're all clipped at the top, completely identically. Information has been lost. This is precisely the problem.
Nobody, not even Linus can turn Linux into an unified system.
Imagine that Linus suddenly went and said (he wouldn't as he's interested in the kernel, but let's ignore that for the moment): Ok, let's do an unified system.
Now that's fine and all, but WHAT would this system be? Just which environment? KDE, Gnome or something else? Nobody would agree, and nothing would change. Maybe some group would appear trying to create Linus' vision, but everybody would be free to ignore it, and it'd be just yet another distro.
Let's suppose he goes with a more blunt approach and says: "I hereby as the Emperor of Linux say that Linux is officially Debian, and the desktop environment is KDE. All other organizations are required to disband, and the developers have to join my chosen ones".
Nobody would give a damn. Well, there'd be discussion for months about that kind of pronouncement, but other than that, not much would happen. Why would Ubuntu, Gentoo, etc obey somebody who doesn't hold any administrative power in their organization? Would Red Hat suddenly liquidate their company or throw their distribution out?
And if I decide I want to work on Enlightenment, and release my own distribution, who is going to stop me from doing that? Nobody.
Again, Linus, and everybody else is completely powerless to dictate anything to the community. We're not employees of a company. If I want to work on something I do, if I don't want to then I don't. This works for MS because Ballmer can say "Ok, this team will work on Vista, and this group has decided it's going to have features X, Y and Z, and that other one came up with this design for the UI. Now get coding." Obviously as MS employees they can't disagree if they want to stay employed, and they can't just fork it because the Windows licensing doesn't allow it.
But Linux is free, and a consequence of that freedom is that nobody can dictate anything to anybody else.
I don't think this is terribly likely, as if the disease was bad enough to cause an epidemic, it would have had already, even without the terrorists. An epidemic probably needs the right disease: something with the right set of incubation time, lethality, symptoms, etc which make it spread very widely. Something that kills very fast wouldn't spread for example.
But supposing such a thing appeared, it'd probably spread just fine without terrorists, as there are plenty stupid people who will ignore any attempt to quarantine it.