The same applies for non free software... You need to ensure you've got it from a trusted source. In fact, non free software is potentially even more dangerous in this regard as you're more likely to be entering credit card details into the site you're purchasing the software from.
And if you're using such crude methods to differentiate between legitimate and malicious binaries, the malware authors will just pad their binaries with zeroes until they're the same size as the legitimate ones. They will also compile their binaries with the same compilers, so that it uses the same external libraries, and they will compile with more aggressive file size optimization so that their small amount of extra code doesn't result in the binary being any larger (and thus they can pad with zeroes to make it the same size).
And how does your browser know that http://www.yourbank.com/ which has a verisign issued certificate is your bank, and http://www.scambank.cn/ which also has a verisign issued certificate is not your real bank?
And therefore, how is the end user supposed to know that the binary signed by "Martin Pikryl" and verified by verisign is a genuine copy of WinSCP, and that the binary signed by "John Smith" and also verified by verisign isn't?
But given that anyone can get a code signing certificate, and that such a certificate only certifies that a particular organisation or individual created a given binary, how is a non technically literate user supposed to know that "joe smith" isn't a legitimate author to be signing a build of filezilla?
A malicious distributor of malware could easily get his code signed, and also create a legitimate looking website from which to distribute it. How are end users supposed to differentiate between all the different websites? How do they know which is the real site and which ones are full of malware?
The problem is that this news will now cause legitimate software that just happens to use these libs to be labelled as suspect, and the authors of malware will simply use a different compiler setup that doesn't require these two libs (eg the official bin is much larger most likely because it includes the functionality that the malicious version draws from these libs)
Hashes help, but aren't perfect... If the original source of the code was compromised, then the published hashes could be too and any mirror sites would also pick up the backdoored version. But this isn't unique to open source code, the same attacks can be performed on binaries too if you control the original distribution point. On the other hand, having the source increases the chance that any changed would be detected by third parties.
If someone only compromised a single mirror site, then you should be able to quite easily tell that the hashes on that mirror don't match the ones on other mirrors and/or the main publisher's site and this is the primary type of attack that hashes are supposed to deter.
The main problem in this article is a lack of a trusted central repository for installing software... Windows users need to download and install filezilla manually, so they search for it on their search engine of choice... But how do they verify that the results which come up are genuine? This is not a problem end users should have to deal with, and the vast majority of people are not sufficiently technically literate enough to do so safely.
The security model you're talking about is possible with selinux, but because the control is so fine grained it is extremely painful to manage and becomes impractical for all but the most security paranoid environments.
No, but why would you want to do things in such a convoluted way? Typically you just verify that the sourcecode you build from matches the published source through the use of checksums and/or gpg signatures... Verifying the resulting binaries would be flawed, as all manner of things could change the resulting binaries such as compile time flags, development headers, compiler version, linked libraries, linker/compiler options etc.
Aside from verifying the original source, if there are modifications made to the source from the official version these are typically distributed as small patch/diff files making it very easy to identify what's been changed...
People still use telnet extensively too... The primary reason for the use of both ftp and telnet instead of ssh, is because windows still comes with ftp and telnet clients but no ssh, so you can be guaranteed that virtually any machine you ever use will have a client.
A currency is meant as an enabler of trade, it is not a commodity in and of itself but is rather intended to be temporarily held until you exchange it for something else. Indeed, holding on to most currencies is an extremely poor investment because inflation will gradually reduce their value.
A currency has value because you can use it to buy goods, services, and trade it for other currencies. There are many sites now such as the one mentioned in this article which will exchange goods or services for bitcoins, and there are several advantages to paying for services using bitcoins over other forms of payment.
Because one country still has the dated mindset of trying to control its population by physical force and blatant propaganda, while the other realises that being more subtle is a far more effective way of achieving the same goals.
Closed source means not only will they no longer get free security updates, but eventually they won't be able to get security updates at all for any money. Running an ATM on something that cannot be maintained is likely to get them in trouble with financial regulators in most countries.
Chances are they already have maintenance staff, the code running on top of the os is probably already their own code and an organisation that size will already be using linux in other areas of their business anyway.
Exactly, updating the machines to run windows 7 is just pushing the problem out, for the same thing to reoccur a few years down the line. Replacing them with a minimal linux or bsd appliance is a far better plan, especially when it comes to maintenance since you can remove absolutely any unnecessary code from the system leaving a much smaller footprint that requires maintenance. These systems running windows will have a huge amount of unnecessary code present, like a web browser, libraries to support games, backwards compatibility libs, drivers for non present hardware etc. All of this increases the potential for attacking the device, while also increasing the overhead of patching it.
If you install their software then you are trusting them to have control over your machine. Your hardware is doing exactly what microsoft has programmed it to do. And every time you install updates, you are allowing them to install a new set of program code on your machine.
Yes, because a lot of PC users do nothing more than facebook and email... Many people bought them simply because they were the only or cheapest way to access the limited functions of the internet that they make use of. But for these people an ipad is actually a far superior device, they don't have to worry about malware infections or having to manually update a bunch of different software, or maintaining a software firewall, or running av scans, or any of that junk. PCs were never "ready for the desktop", they were used because there was no better alternative. Now that better alternatives are available, users are using them.
Depends what you mean by "Stuck with", for the vast majority of users content consumption is all they do, and having a large complicated workstation is very dangerous for someone who doesn't know how to manage it properly.
The mobile web traffic stat ties in with the budget handset stat... Apple only target the high end, so their customers generally have more money to spend on data service and other things in general. This means they use the service more, buy more apps and are better targets for advertisers.
A lot of people seem to think that while the credit card processors will charge retailers a fee for accepting cards, that somehow accepting cash is free... It's really not, there are all kinds of costs to a business that takes cash. The retailer requires change to give customers, and the banks charge them for supplying small change... You also need something like a safe to store the cash in, and you face the risk of that cash being stolen and are likely to pay higher insurance costs to cover that risk. Similarly you will probably need to get that cash to the bank, which for any sizeable amount will probably mean hiring a cash courier service to take it for you. Large amounts of cash also attract the attention of the tax authorities, as its very easy to simply pocket some of the cash and never declare it for tax purposes.
All of these costs add up such that in many cases it's actually cheaper to take cards.
You can build local copies of virtually everything, including the libc, into your own prefix so it won't affect anyone else (./configure --prefix=/home/user/blah etc)... The only thing you can't upgrade is the kernel. Not that you should have to do this, as its very painful to maintain but it is at least possible.
Most userland apps should run just fine, even on the 2.4.x kernel providing you compile an appropriate set of libs for them.
On the other hand, what are you doing with a compute cluster running such old software? Old software is unlikely to properly support modern processors, suggesting you have a cluster of old processors... Compute clusters tend not to last all that long before they get dismantled, as its not economical in terms of performance/watt to keep a cluster of old hardware running.
But consider it from another perspective, how can you trust a review if you aren't sure who the reviewer is, if they really exist and if they've ever actually used the service they're writing the review about? Business owners have been known to post large numbers of false positive reviews about their own establishments.
Incidentally, if you are physically capable of committing violent crime then you are physically capable of doing legal work too.
If such people want money they should be required to work for it. Either get a job in the normal way, or if you want state handouts you should be spending normal working hours (eg 40hrs/week) in training or doing community work for the state.
Think of the benefits system as a fallback job... You should still have to work and not just sit on your ass, even if your wages are coming from the state.
If you keep the jobless busy then they will have less time for crime and drugs.
And if they don't find work, what then? Do you let them starve?
Training (to make them more employable in the future) or community service.
It shouldn't be possible to sit on your ass doing nothing and get free handouts. If someone is able to work but unwilling to do so, then sure let them starve - thats their choice.
If you want money, wether you get it from an employer or the state you should be spending most of your time busy doing *something* (legal) in order to get it.
And plenty of those who "cant find a job", either make no effort whatsoever, or intentionally sabotage the interviews lined up for them by the jobcentre.
Slashdot Mirror
MSOffice also has huge usability issues and bugs, the only difference is that the kludgy workarounds required are more well known.
How is a non technical end user supposed to know that sourceforge is the official site of filezilla, and that other sites are not?
The same applies for non free software... You need to ensure you've got it from a trusted source.
In fact, non free software is potentially even more dangerous in this regard as you're more likely to be entering credit card details into the site you're purchasing the software from.
And if you're using such crude methods to differentiate between legitimate and malicious binaries, the malware authors will just pad their binaries with zeroes until they're the same size as the legitimate ones.
They will also compile their binaries with the same compilers, so that it uses the same external libraries, and they will compile with more aggressive file size optimization so that their small amount of extra code doesn't result in the binary being any larger (and thus they can pad with zeroes to make it the same size).
And how does your browser know that http://www.yourbank.com/ which has a verisign issued certificate is your bank, and http://www.scambank.cn/ which also has a verisign issued certificate is not your real bank?
And therefore, how is the end user supposed to know that the binary signed by "Martin Pikryl" and verified by verisign is a genuine copy of WinSCP, and that the binary signed by "John Smith" and also verified by verisign isn't?
But given that anyone can get a code signing certificate, and that such a certificate only certifies that a particular organisation or individual created a given binary, how is a non technically literate user supposed to know that "joe smith" isn't a legitimate author to be signing a build of filezilla?
A malicious distributor of malware could easily get his code signed, and also create a legitimate looking website from which to distribute it. How are end users supposed to differentiate between all the different websites? How do they know which is the real site and which ones are full of malware?
The problem is that this news will now cause legitimate software that just happens to use these libs to be labelled as suspect, and the authors of malware will simply use a different compiler setup that doesn't require these two libs (eg the official bin is much larger most likely because it includes the functionality that the malicious version draws from these libs)
Hashes help, but aren't perfect... If the original source of the code was compromised, then the published hashes could be too and any mirror sites would also pick up the backdoored version. But this isn't unique to open source code, the same attacks can be performed on binaries too if you control the original distribution point.
On the other hand, having the source increases the chance that any changed would be detected by third parties.
If someone only compromised a single mirror site, then you should be able to quite easily tell that the hashes on that mirror don't match the ones on other mirrors and/or the main publisher's site and this is the primary type of attack that hashes are supposed to deter.
The main problem in this article is a lack of a trusted central repository for installing software... Windows users need to download and install filezilla manually, so they search for it on their search engine of choice... But how do they verify that the results which come up are genuine? This is not a problem end users should have to deal with, and the vast majority of people are not sufficiently technically literate enough to do so safely.
The security model you're talking about is possible with selinux, but because the control is so fine grained it is extremely painful to manage and becomes impractical for all but the most security paranoid environments.
No, but why would you want to do things in such a convoluted way?
Typically you just verify that the sourcecode you build from matches the published source through the use of checksums and/or gpg signatures... Verifying the resulting binaries would be flawed, as all manner of things could change the resulting binaries such as compile time flags, development headers, compiler version, linked libraries, linker/compiler options etc.
Aside from verifying the original source, if there are modifications made to the source from the official version these are typically distributed as small patch/diff files making it very easy to identify what's been changed...
People still use telnet extensively too...
The primary reason for the use of both ftp and telnet instead of ssh, is because windows still comes with ftp and telnet clients but no ssh, so you can be guaranteed that virtually any machine you ever use will have a client.
I've had a few where code has to be compiled with optimzation turned off, or set to a lower than usual level in order for the program to work..
A currency is meant as an enabler of trade, it is not a commodity in and of itself but is rather intended to be temporarily held until you exchange it for something else. Indeed, holding on to most currencies is an extremely poor investment because inflation will gradually reduce their value.
A currency has value because you can use it to buy goods, services, and trade it for other currencies. There are many sites now such as the one mentioned in this article which will exchange goods or services for bitcoins, and there are several advantages to paying for services using bitcoins over other forms of payment.
Because one country still has the dated mindset of trying to control its population by physical force and blatant propaganda, while the other realises that being more subtle is a far more effective way of achieving the same goals.
Closed source means not only will they no longer get free security updates, but eventually they won't be able to get security updates at all for any money.
Running an ATM on something that cannot be maintained is likely to get them in trouble with financial regulators in most countries.
Chances are they already have maintenance staff, the code running on top of the os is probably already their own code and an organisation that size will already be using linux in other areas of their business anyway.
Exactly, updating the machines to run windows 7 is just pushing the problem out, for the same thing to reoccur a few years down the line.
Replacing them with a minimal linux or bsd appliance is a far better plan, especially when it comes to maintenance since you can remove absolutely any unnecessary code from the system leaving a much smaller footprint that requires maintenance.
These systems running windows will have a huge amount of unnecessary code present, like a web browser, libraries to support games, backwards compatibility libs, drivers for non present hardware etc. All of this increases the potential for attacking the device, while also increasing the overhead of patching it.
If you install their software then you are trusting them to have control over your machine. Your hardware is doing exactly what microsoft has programmed it to do. And every time you install updates, you are allowing them to install a new set of program code on your machine.
If you don't like it, run something else.
Yes, because a lot of PC users do nothing more than facebook and email... Many people bought them simply because they were the only or cheapest way to access the limited functions of the internet that they make use of.
But for these people an ipad is actually a far superior device, they don't have to worry about malware infections or having to manually update a bunch of different software, or maintaining a software firewall, or running av scans, or any of that junk.
PCs were never "ready for the desktop", they were used because there was no better alternative. Now that better alternatives are available, users are using them.
Depends what you mean by "Stuck with", for the vast majority of users content consumption is all they do, and having a large complicated workstation is very dangerous for someone who doesn't know how to manage it properly.
The mobile web traffic stat ties in with the budget handset stat... Apple only target the high end, so their customers generally have more money to spend on data service and other things in general. This means they use the service more, buy more apps and are better targets for advertisers.
A lot of people seem to think that while the credit card processors will charge retailers a fee for accepting cards, that somehow accepting cash is free...
It's really not, there are all kinds of costs to a business that takes cash. The retailer requires change to give customers, and the banks charge them for supplying small change... You also need something like a safe to store the cash in, and you face the risk of that cash being stolen and are likely to pay higher insurance costs to cover that risk. Similarly you will probably need to get that cash to the bank, which for any sizeable amount will probably mean hiring a cash courier service to take it for you. Large amounts of cash also attract the attention of the tax authorities, as its very easy to simply pocket some of the cash and never declare it for tax purposes.
All of these costs add up such that in many cases it's actually cheaper to take cards.
You can build local copies of virtually everything, including the libc, into your own prefix so it won't affect anyone else (./configure --prefix=/home/user/blah etc)... The only thing you can't upgrade is the kernel.
Not that you should have to do this, as its very painful to maintain but it is at least possible.
Most userland apps should run just fine, even on the 2.4.x kernel providing you compile an appropriate set of libs for them.
On the other hand, what are you doing with a compute cluster running such old software? Old software is unlikely to properly support modern processors, suggesting you have a cluster of old processors... Compute clusters tend not to last all that long before they get dismantled, as its not economical in terms of performance/watt to keep a cluster of old hardware running.
And what about the positive reviews? The same criteria should apply to those, find out who wrote them and verify their validity...
But consider it from another perspective, how can you trust a review if you aren't sure who the reviewer is, if they really exist and if they've ever actually used the service they're writing the review about?
Business owners have been known to post large numbers of false positive reviews about their own establishments.
Incidentally, if you are physically capable of committing violent crime then you are physically capable of doing legal work too.
If such people want money they should be required to work for it. Either get a job in the normal way, or if you want state handouts you should be spending normal working hours (eg 40hrs/week) in training or doing community work for the state.
Think of the benefits system as a fallback job... You should still have to work and not just sit on your ass, even if your wages are coming from the state.
If you keep the jobless busy then they will have less time for crime and drugs.
And if they don't find work, what then? Do you let them starve?
Training (to make them more employable in the future) or community service.
It shouldn't be possible to sit on your ass doing nothing and get free handouts. If someone is able to work but unwilling to do so, then sure let them starve - thats their choice.
If you want money, wether you get it from an employer or the state you should be spending most of your time busy doing *something* (legal) in order to get it.
And plenty of those who "cant find a job", either make no effort whatsoever, or intentionally sabotage the interviews lined up for them by the jobcentre.