You say that now, but when your mom is standing behind you as you search for movie ticket show times, and the ads are all about "Big Heads In Deep Holes", you might think again...
It's relatively trivial to recompile from source and compare the md5s. In addition, yes, all distros that I know of come with the correct md5s of the files in each package, which is just one of the many ways you can check for rootkits on unix systems.
Of course to do a real comparison you'd copy the data to another system and do the comparison there based on the md5s listed in an online source, since the md5s stored locally are potentially compromised (as could the package manager itself also be compromised). But as most rootkits don't go this deep, you can often spot it immediately with this method.
Yeah, I agree with you. There's really two classes of attacks - social attacks ("click on this e-mail/executable/etc.") and automated attacks (open ports and similar vulnerable services).
For automated attacks, I would say that linux has proven to be much more resilient to attack for a number of reasons.
For social attacks, Windows has a huge share on the user-attackable desktop population. But Windows also makes attacks easier than they should be, with things like hiding extensions, autoplay, and a plethora of badly coded software that requires admin access when it shouldn't.
A lot of that software isn't necessarily bad either, it's just from a time before Windows had any pushback on that sort of thing (ie: Vista's UAC) That's the biggest reason that, given the same policy rules, a linux or mac user will hit a Sudo prompt far more infrequently than a Vista user hits UAC prompts.
Wrong. As another response points out, with linux's extremely high penetration in the server market, where servers tend to have a ton more bandwidth (and confidential data, for that matter), linux should be the primary target for viruses.
But for various reasons (non-mono-culture, in addition to better default security in the OS *and* most apps written for it) the best way found so far to hijack linux machines is attempting to crack common username+password combinations.
If you have any linux box with SSH open to the internet, you should know that these password attacks happen non-stop, all day every day. On every linux box I've admined. So the demand is obviously there, but the OS and the security culture around the OS is making it much more difficult.
Of course there's also a large difference between attacking desktops and servers, since desktop attacks often require user interaction, and server attacks have to be automated. But it's still easy to think back and notice a trend in even automated exploits on windows servers, where there haven't been (successful?) exploits on linux boxes.
Essentially, linux is secure enough that the only successful method of attack so far has been the user-stupidity point-of-entry, bad passwords.
Two of the biggest reasons linux has proved so (relatively) impermiable are the lack of a software mono-culture, and the existence of an easy target in Windows.
Even when Windows Server has had a smaller share of the server market, it's still been targeted by numerous (successful) automated attacks.
(and just to repeat the obvious, no OS is impossible to write viruses for or otherwise exploit, and I'm sure there are viruses for every OS out there. The real question is how many successful large scale attacks have there been on each - and successful large scale attacks have as much to do with monoculture and time-to-patch as any internal OS security policies)
(also it looks like my slashdot ID is lower than yours, do I win the EPEEN contest?)
I totally agree. It's possible they have an overzealous forum team? It's possible they're embarassed by this "anonymous usage tool", and making a bigger deal out of it then anyone would have had they been honest? Maybe they plan to use it to shut off pirated copies of Norton and don't want to tip off the pirates?
Regardless of what it actually is, the fact that they didn't make the right forum response demonstrates at best substantialy unprofessionalism. And, quite likely, some sort of cover up.
Mod this up. For all the hysterics, this sounds accurate from reading the Strings dump. The only real news story here may be Norton's inappropriate forum reaction.
If this is indeed a "legitimate" patch tool, why not post that info on the forum, sticky it at the top, and refer to it when locking (instead of deleting) subsequent re-posts?
Reading TFA, the author noted a lot of padding in the suspect executable, presumably to have it match the filesize of something it's pretending to be.
The author then suggests with the rapid proliferation and Norton's screwy coverup in their forums, that the auto-updater may have sent out a virus/rootkit.
Perhaps Norton thought they could send out a patch to clean it up before anyone found out?
I live near Circuit City's headquarters, and my dad had always encouraged us to shop there to help the local economy. But even I had sworn off CC long before they went out of business. I even went there exclusively for a time after I had a bad experience at Best Buy, but CC managed to kick me back out with their bad service, bad stock, and bad prices.
Mainly, I switched to always buying online from newegg or Amazon. But I think CC could have competed quite well with a good stock of "pick up in-store" products. I always liked the idea, but the prices and poor stock made it pretty ineffective.
I expected to like Vista, when I started using it at work *after* Service Pack 1 came out. WAY too many major bugs.
As for UAC, it was obnoxious for the first week of installing programs, especially because it often (intentionally?) pops up *behind* the program being installed. As in the dialog isn't visible. I sat there in another window working for 5+ minutes before I started wondering why the installer hadn't finished unpacking/preparing yet, and eventually found a UAC dialog behind everything.
I think the key problem is that UAC triggers way too often. One week of running on Vista I saw more UAC prompts than I have on my linux and Mac combined for the past 4+ years. I'm not 100% sure why - is it because most windows apps are badly designed (for historical reasons)? Is it because my mac and linux are "insecure" compared to vista?
I badly wanted to like Vista, and I still found myself infuriated with it.
I haven't seen the movie yet, but AFAIK there's a big difference between a "strange and unknown" enemy, and "that guy we know really well who's basically a God and whom we can do nothing to stop". The former is a giant question mark to bring people together. The latter sounds like the same "vengeful god" crap we already have in Real Life (which obviously isnt working so hot). In fact, it's the same vengeful god crap the Watchmen universe already had in Dr M when he was on the US's side.
Why not have Dr M arbitrarily create a giant fake squid (or whatever) to blame it on, instead of doing it himself? At least it'd be different from what the world already had before Dr M went go be emo on mars.
Screw you over is a very subjective claim. It's just like non-compete agreements in employment. Is accepting a job where I get paid $$$$ really "you know it will screw you over but just don't care"? There are benefits now, there are (arguably minor) risks later.
Oh no, I MIGHT have to pay $2 to buy Bejeweled Multiplayer in 8 years so my daughter can play it while I play Half-life 5? You really think that edge case is worth "giving up" everything I can gain by using Steam now? It's not.
I love playing Left 4 Dead, TF2, CS:S - these are the best games out there. I'm not going to deprive myself of substantial enjoyment now just for extreme-edge-case fears that are unlikely to ever materialize.
A better analogy than yours would be "I'm going to stand in this drain on the side of the road so I can pick up a $100 bill, but I don't doubt that it might rain eventually and get my shoes a little wet".
You're welcome to use a different account for each game, if you're ability to resell the games is more valuable to you than all the conveniences Steam provides (like friends list, online store, etc.)
=\
Steam isn't perfect, but like Google, get a lot of bonus points and leeway for not being Evil.
Agreed. I went to Japan expecting it to be time travel. They would be flying around in cars miles above the city, teleporting from place to place, and tentacles would be all over the place just like deer or squirrels in the US.
The WIRED article intentionally promotes this false view of japan. In reality, I didn't find anything in Japan we don't have in the US. A few niche items (like the R4 card for the DS) are easier to find in Tokyo than in the suburbs of the US. But it would be just as easy to find in a major city like New York or Chicago.
So of course the article is claiming the iPhone is hated in japan (false) and the reason is because they have such great amazing phones (false) that Americans won't see for a decade.
If the second premise were true, I could see that being reason for US consumers to care about the Wired article. Why buy an iphone if some crazy awesome japanese phone will be arriving in a couple months?
Fortunately for Apple, that isn't the case. I didn't think Wired was this trashy, especially reading about the dishonest quotes that were preserved (in some form) despite the complaints.
One is currently unambiguously legal and frequently used. The other one has a substantial religious base rallying against it, as well as a social stigma and various regulations hindering its use.
It's certainly ideal for the user to not have to pick+download+install a web browser. Especially considering you need a web browser to do it. Catch 22?
That said, normal rules of usability and user-friendliness get (Rightly) thrown out the window when you're declared a monopoly, as Microsoft has been.
This is why it's OK for Apple to bundle Safari, but Not OK for Microsoft to bundle Internet Explorer.
In a correctly regulated world, all PCs would come with a web browser, but it would be up to the manufacturer to decide which browser(s) they wanted to include.
And since all other browsers have to be given away for free to remotely compete with Internet Explorer, IE "should" also need be split off into a separate company. Let them flail at giving away a product with no income like they've forced their (few) competitors to do.
Why should IE be able to get funded AND distributed by suckling at a monopoly's tit while Firefox and Safari (and now Chrome) are struggling to compete? Why does government regulation of monopolies exist, if not to keep Microsoft from turning the entire global Internet into a MS-only proprietary network?
Throwing a tantrum when leaving a company is a meaningful demonstration of personal issues that are likely to effect your ability to work well in teams. It's completely reasonable to avoid hiring someone due to their demonstrating said qualities.
You may be right that I'm confusing the two. I was thinking they overlap mostly in the game industry, the same way they do in the music and movie industries. So if this is true, Steam would at the very least take all the distribution profits the gaming publishers are currently keeping for themselves, while also opening up the market to publisher-less developers and self-funded development studios.
This is a really excellent writeup comparing Microsoft's dominance with Google's.
It's demonstrated every day with the products we use and how we feel about it. Google's products I use if I like them. Microsoft's [inferior] products I have to go out of my way to avoid, as they're unremovable (and auto-starting) on my operating system, and typically [intentionally?] incompatible with competitors.
So yeah, even Valve with their "Hey look at us guys! we think DRM is silly, we love piracy and think it helps! hell we even do great discounts sometimes!" are still the scum of the Earth and as bad as EA when it comes to draconian DRM in that they prevented me playing a game made by the company THQ and bought from the company GAME and could just as well prevent me again any time they wish.
Keep in mind that Gabe Newell *could* walk over to your house and light you on fire. Steam is, like Apple, pushing things in the right direction. Valve is in a unique situation where they can afford to have morals and fight for the consumer. They don't always do what we *want* (free beer and games?) but they have done a good job of keeping things feeling fair.
If a company says "We'll only put DoW2 on Steam if you block all activations until release day", that's a problem with retailers selling games that aren't ready for sale. It's unfortunate, especially for a single player game, that a company would put these restrictions on the game in the first place.
As Chaos Incarnate also points out, it's very unlikely that Valve gets to "pick a price" for 3rd party games on the Steam service. A lot of publishers are reluctant to offer better deals on Steam than in retail, as they will effectively hand their jobs over to Valve and Steam.
You forgot to mention that there's only one company selling bikes, because they own all the roads and won't allow any other company's bikes on their roads.
Then they're convicted as a monopoly by government courts, but the government doesn't bother to actually stop any of this unfair behavior or make any effort to bring competition back to the marketplace.
So your only choice if you don't want to walk is to buy a broken bike from the only bike vendor there is, and then bitch about it.
Oh, or there's those other bikes with square wheels that you can only ride in the creek...
Slashdot Mirror
You say that now, but when your mom is standing behind you as you search for movie ticket show times, and the ads are all about "Big Heads In Deep Holes", you might think again...
http://www.penny-arcade.com/comic/2006/10/18/
It's relatively trivial to recompile from source and compare the md5s. In addition, yes, all distros that I know of come with the correct md5s of the files in each package, which is just one of the many ways you can check for rootkits on unix systems.
Of course to do a real comparison you'd copy the data to another system and do the comparison there based on the md5s listed in an online source, since the md5s stored locally are potentially compromised (as could the package manager itself also be compromised). But as most rootkits don't go this deep, you can often spot it immediately with this method.
Yeah, I agree with you. There's really two classes of attacks - social attacks ("click on this e-mail/executable/etc.") and automated attacks (open ports and similar vulnerable services).
For automated attacks, I would say that linux has proven to be much more resilient to attack for a number of reasons.
For social attacks, Windows has a huge share on the user-attackable desktop population. But Windows also makes attacks easier than they should be, with things like hiding extensions, autoplay, and a plethora of badly coded software that requires admin access when it shouldn't.
A lot of that software isn't necessarily bad either, it's just from a time before Windows had any pushback on that sort of thing (ie: Vista's UAC) That's the biggest reason that, given the same policy rules, a linux or mac user will hit a Sudo prompt far more infrequently than a Vista user hits UAC prompts.
Wrong. As another response points out, with linux's extremely high penetration in the server market, where servers tend to have a ton more bandwidth (and confidential data, for that matter), linux should be the primary target for viruses.
But for various reasons (non-mono-culture, in addition to better default security in the OS *and* most apps written for it) the best way found so far to hijack linux machines is attempting to crack common username+password combinations.
If you have any linux box with SSH open to the internet, you should know that these password attacks happen non-stop, all day every day. On every linux box I've admined. So the demand is obviously there, but the OS and the security culture around the OS is making it much more difficult.
Of course there's also a large difference between attacking desktops and servers, since desktop attacks often require user interaction, and server attacks have to be automated. But it's still easy to think back and notice a trend in even automated exploits on windows servers, where there haven't been (successful?) exploits on linux boxes.
Essentially, linux is secure enough that the only successful method of attack so far has been the user-stupidity point-of-entry, bad passwords.
Two of the biggest reasons linux has proved so (relatively) impermiable are the lack of a software mono-culture, and the existence of an easy target in Windows.
Even when Windows Server has had a smaller share of the server market, it's still been targeted by numerous (successful) automated attacks.
(and just to repeat the obvious, no OS is impossible to write viruses for or otherwise exploit, and I'm sure there are viruses for every OS out there. The real question is how many successful large scale attacks have there been on each - and successful large scale attacks have as much to do with monoculture and time-to-patch as any internal OS security policies)
(also it looks like my slashdot ID is lower than yours, do I win the EPEEN contest?)
I totally agree. It's possible they have an overzealous forum team? It's possible they're embarassed by this "anonymous usage tool", and making a bigger deal out of it then anyone would have had they been honest? Maybe they plan to use it to shut off pirated copies of Norton and don't want to tip off the pirates?
Regardless of what it actually is, the fact that they didn't make the right forum response demonstrates at best substantialy unprofessionalism. And, quite likely, some sort of cover up.
Mod this up. For all the hysterics, this sounds accurate from reading the Strings dump. The only real news story here may be Norton's inappropriate forum reaction.
If this is indeed a "legitimate" patch tool, why not post that info on the forum, sticky it at the top, and refer to it when locking (instead of deleting) subsequent re-posts?
Hmmm...maybe this is how Obama is going to save the economy?!
Maybe Norton's anti-virus is so good that even THEY can't get a virus past it? ;)
Reading TFA, the author noted a lot of padding in the suspect executable, presumably to have it match the filesize of something it's pretending to be.
The author then suggests with the rapid proliferation and Norton's screwy coverup in their forums, that the auto-updater may have sent out a virus/rootkit.
Perhaps Norton thought they could send out a patch to clean it up before anyone found out?
I live near Circuit City's headquarters, and my dad had always encouraged us to shop there to help the local economy. But even I had sworn off CC long before they went out of business. I even went there exclusively for a time after I had a bad experience at Best Buy, but CC managed to kick me back out with their bad service, bad stock, and bad prices.
Mainly, I switched to always buying online from newegg or Amazon. But I think CC could have competed quite well with a good stock of "pick up in-store" products. I always liked the idea, but the prices and poor stock made it pretty ineffective.
I expected to like Vista, when I started using it at work *after* Service Pack 1 came out. WAY too many major bugs.
As for UAC, it was obnoxious for the first week of installing programs, especially because it often (intentionally?) pops up *behind* the program being installed. As in the dialog isn't visible. I sat there in another window working for 5+ minutes before I started wondering why the installer hadn't finished unpacking/preparing yet, and eventually found a UAC dialog behind everything.
I think the key problem is that UAC triggers way too often. One week of running on Vista I saw more UAC prompts than I have on my linux and Mac combined for the past 4+ years. I'm not 100% sure why - is it because most windows apps are badly designed (for historical reasons)? Is it because my mac and linux are "insecure" compared to vista?
I badly wanted to like Vista, and I still found myself infuriated with it.
I haven't seen the movie yet, but AFAIK there's a big difference between a "strange and unknown" enemy, and "that guy we know really well who's basically a God and whom we can do nothing to stop". The former is a giant question mark to bring people together. The latter sounds like the same "vengeful god" crap we already have in Real Life (which obviously isnt working so hot). In fact, it's the same vengeful god crap the Watchmen universe already had in Dr M when he was on the US's side.
Why not have Dr M arbitrarily create a giant fake squid (or whatever) to blame it on, instead of doing it himself? At least it'd be different from what the world already had before Dr M went go be emo on mars.
Screw you over is a very subjective claim. It's just like non-compete agreements in employment. Is accepting a job where I get paid $$$$ really "you know it will screw you over but just don't care"? There are benefits now, there are (arguably minor) risks later.
Oh no, I MIGHT have to pay $2 to buy Bejeweled Multiplayer in 8 years so my daughter can play it while I play Half-life 5? You really think that edge case is worth "giving up" everything I can gain by using Steam now? It's not.
I love playing Left 4 Dead, TF2, CS:S - these are the best games out there. I'm not going to deprive myself of substantial enjoyment now just for extreme-edge-case fears that are unlikely to ever materialize.
A better analogy than yours would be "I'm going to stand in this drain on the side of the road so I can pick up a $100 bill, but I don't doubt that it might rain eventually and get my shoes a little wet".
You're welcome to use a different account for each game, if you're ability to resell the games is more valuable to you than all the conveniences Steam provides (like friends list, online store, etc.)
=\
Steam isn't perfect, but like Google, get a lot of bonus points and leeway for not being Evil.
Agreed. I went to Japan expecting it to be time travel. They would be flying around in cars miles above the city, teleporting from place to place, and tentacles would be all over the place just like deer or squirrels in the US.
The WIRED article intentionally promotes this false view of japan. In reality, I didn't find anything in Japan we don't have in the US. A few niche items (like the R4 card for the DS) are easier to find in Tokyo than in the suburbs of the US. But it would be just as easy to find in a major city like New York or Chicago.
So of course the article is claiming the iPhone is hated in japan (false) and the reason is because they have such great amazing phones (false) that Americans won't see for a decade.
If the second premise were true, I could see that being reason for US consumers to care about the Wired article. Why buy an iphone if some crazy awesome japanese phone will be arriving in a couple months?
Fortunately for Apple, that isn't the case. I didn't think Wired was this trashy, especially reading about the dishonest quotes that were preserved (in some form) despite the complaints.
The iphone is a small laptop, whereas nokia (and japanese companies) are providing big phones.
One is currently unambiguously legal and frequently used. The other one has a substantial religious base rallying against it, as well as a social stigma and various regulations hindering its use.
Other than that, no difference.
It's certainly ideal for the user to not have to pick+download+install a web browser. Especially considering you need a web browser to do it. Catch 22?
That said, normal rules of usability and user-friendliness get (Rightly) thrown out the window when you're declared a monopoly, as Microsoft has been.
This is why it's OK for Apple to bundle Safari, but Not OK for Microsoft to bundle Internet Explorer.
In a correctly regulated world, all PCs would come with a web browser, but it would be up to the manufacturer to decide which browser(s) they wanted to include.
And since all other browsers have to be given away for free to remotely compete with Internet Explorer, IE "should" also need be split off into a separate company. Let them flail at giving away a product with no income like they've forced their (few) competitors to do.
Why should IE be able to get funded AND distributed by suckling at a monopoly's tit while Firefox and Safari (and now Chrome) are struggling to compete? Why does government regulation of monopolies exist, if not to keep Microsoft from turning the entire global Internet into a MS-only proprietary network?
Throwing a tantrum when leaving a company is a meaningful demonstration of personal issues that are likely to effect your ability to work well in teams. It's completely reasonable to avoid hiring someone due to their demonstrating said qualities.
You may be right that I'm confusing the two. I was thinking they overlap mostly in the game industry, the same way they do in the music and movie industries. So if this is true, Steam would at the very least take all the distribution profits the gaming publishers are currently keeping for themselves, while also opening up the market to publisher-less developers and self-funded development studios.
This is a really excellent writeup comparing Microsoft's dominance with Google's.
It's demonstrated every day with the products we use and how we feel about it. Google's products I use if I like them. Microsoft's [inferior] products I have to go out of my way to avoid, as they're unremovable (and auto-starting) on my operating system, and typically [intentionally?] incompatible with competitors.
So yeah, even Valve with their "Hey look at us guys! we think DRM is silly, we love piracy and think it helps! hell we even do great discounts sometimes!" are still the scum of the Earth and as bad as EA when it comes to draconian DRM in that they prevented me playing a game made by the company THQ and bought from the company GAME and could just as well prevent me again any time they wish.
Keep in mind that Gabe Newell *could* walk over to your house and light you on fire. Steam is, like Apple, pushing things in the right direction. Valve is in a unique situation where they can afford to have morals and fight for the consumer. They don't always do what we *want* (free beer and games?) but they have done a good job of keeping things feeling fair.
If a company says "We'll only put DoW2 on Steam if you block all activations until release day", that's a problem with retailers selling games that aren't ready for sale. It's unfortunate, especially for a single player game, that a company would put these restrictions on the game in the first place.
As Chaos Incarnate also points out, it's very unlikely that Valve gets to "pick a price" for 3rd party games on the Steam service. A lot of publishers are reluctant to offer better deals on Steam than in retail, as they will effectively hand their jobs over to Valve and Steam.
Save money once buying the game late, and save even more because you can play it on a $120 graphics card, instead of a $400 one.
You forgot to mention that there's only one company selling bikes, because they own all the roads and won't allow any other company's bikes on their roads.
Then they're convicted as a monopoly by government courts, but the government doesn't bother to actually stop any of this unfair behavior or make any effort to bring competition back to the marketplace.
So your only choice if you don't want to walk is to buy a broken bike from the only bike vendor there is, and then bitch about it.
Oh, or there's those other bikes with square wheels that you can only ride in the creek...