That is because Ubuntu gives you the open source 'nv' driver instead of the proprietary 'nvidia' driver. Any bugs you found have nothing to do with the distro-provided packages of the proprietary drivers.
Yes, my point is that *both* the official ATI and NVIDIA packages are shit. Users are much better off sticking with the official packages provided by their distributions.:)
The difficulty comes later on when you need to install or upgrade something else and the shitty packages built by the idiots at ATI who know nothing about how Debian-based systems are put together break.
Hm, I really didn't know that the Windows situation was that bad! I assumed that you'd be pretty safe as long as you kept your machine patched. I guess I fell for the MICROS~1 propoganda.:)
I agree that injecting keypresses into a terminal might be a bit tricky, but I really don't see what is so hard about waiting quietly for the user to authenticate themselves to sudo, and then have the malware run sudo to elevate its priviliges. I honestly believe that the only reason that this doesn't happen very often is because it is a lot harder to get a Mac user to execute arbitrary code in the first place.
Not with Debian. The job of making sure that the contents of a package are safe is that of the package's maintainer as listed in the package metadata. Additionally, the ftpmasters inspect all packages for technical and legal problems when they are first uploaded to the archive, and also whenever a package adds or removes a new binary component (e.g., libfoo1 changing to libfoo2). The security team keeps a handle on new vulnerabilities, and the security audit team looks for existing vulnerabilities in Debian's packages (although the output of the audit team seems to have slowed down/stopped recently... perhaps there are no security bugs left?:) )
Of course, all of this is not perfect, and at the end of the day if you are paranoid, you have to run 'apt-get source foopkg' and inspect the result yourself before you install it. I don't think this will ever change, for any operating system.
You may call all of this an exception to the rule, I just think all other operating systems are a waste of time.:)
But I can't use Orca on an NSIS installer, or an InstallShield installer, etc. etc. Also it assumes that the MSI is just on the disk and not packaged up inside some other exe file (WHY do people do this!?!). Whereas an RPM or Debian package is just a package that one can always easily inspect to see whether it is capable of doing nefarious things (that is, the package itself--of course the packaged program may do bad stuff, but that is another problem that is solved by only installing software from a trusted source and/or auditing the package source).
Mplayer was not a personal dispute. For a very long time, Mplayer could not be included because of the unclear licensing status of its code. Fortunately, that is all in the past--mplayer will be included in the forthcoming Debian 4.0 AKA "etch".
PS, note that I used the;) smiley. My comment was not 100% serious;)
Regmon and Filemon are useless--by the time you analyse the results, the program has already executed.
FYI, the maintainer scripts can be any executable--nothing stops them from being binaries. But I doubt such a package would ever be accepted into the Debian archive.
Good point however about the postinst script executing a binary that was just unpacked by the package. Fortunately I don't worry about this since I can always run 'apt-get source foo' and examine the source for the foo package directly.:)
No, you don't. Unless you disassembled and analysed the program you are trying to run.
UAC gives you the ability to analyse every priviliged action that the dodgy third party application you are trying to run is trying to take. Until I read this article, I thought it was a pretty good idea. Now I see that MICROS~1 have fucked up yet again, and made it absolutely useless in the real world (the default configuration).
In the unix world, if I want to modify a file that I don't own I must elevate my permissions using something like su root. And that's somehow *less* annoying than Vista's UAC prompt?
Much less annoying, because in day to day use you don't *have* to do anything that requires elevated priviliges. Thanks to years of fuckups by MICROS~1, when using Windows you must have elevated priviliges in order to run ordinary application programs.
Synaptic will only install software from the safe Ubuntu archive by default. By contrast, Vista will run untrusted third party software with full administrative priviliges by default.
I really thought that finally, MICROS~1 had got their act together and fixed their fucked up security system. I guess I was wrong.
Deleting a shortcut that the user does not have permission to delete brings up the popups.
In previous versions of Windows, and other operating systems, the user would simply be told that they do not have permission to delete the shortcut, tough beans.
Slashdot Mirror
Of course there is. They are not free software. I am unable to alter them to fix bugs or add new features.
"Nothing happened" != "Permission denied".
GOD. There should be some code in chmod that activates when the user does that. The code should punch the user in the face.
You are not understanding what I am saying. Your problems are with the default 'nv' driver. I am saying that NVIDIA's own installer for their proprietary driver is bad/crap/dangerous/buggy, and that people should use the packages of the proprietary driver that are provided by their own distribution (in Debian's case: http://packages.debian.org/cgi-bin/search_packages .pl?keywords=nvidia&searchon=sourcenames&subword=1 &version=all&release=all).
That is because Ubuntu gives you the open source 'nv' driver instead of the proprietary 'nvidia' driver. Any bugs you found have nothing to do with the distro-provided packages of the proprietary drivers.
Yes, my point is that *both* the official ATI and NVIDIA packages are shit. Users are much better off sticking with the official packages provided by their distributions. :)
The difficulty comes later on when you need to install or upgrade something else and the shitty packages built by the idiots at ATI who know nothing about how Debian-based systems are put together break.
Do yourself a favour and stick with the official packages: http://packages.debian.org/src:fglrx-driver
Hm, I really didn't know that the Windows situation was that bad! I assumed that you'd be pretty safe as long as you kept your machine patched. I guess I fell for the MICROS~1 propoganda. :)
I agree that injecting keypresses into a terminal might be a bit tricky, but I really don't see what is so hard about waiting quietly for the user to authenticate themselves to sudo, and then have the malware run sudo to elevate its priviliges. I honestly believe that the only reason that this doesn't happen very often is because it is a lot harder to get a Mac user to execute arbitrary code in the first place.
It costs $0.0045 on ebay? :)
Not with Debian. The job of making sure that the contents of a package are safe is that of the package's maintainer as listed in the package metadata. Additionally, the ftpmasters inspect all packages for technical and legal problems when they are first uploaded to the archive, and also whenever a package adds or removes a new binary component (e.g., libfoo1 changing to libfoo2). The security team keeps a handle on new vulnerabilities, and the security audit team looks for existing vulnerabilities in Debian's packages (although the output of the audit team seems to have slowed down/stopped recently... perhaps there are no security bugs left? :) )
:)
Of course, all of this is not perfect, and at the end of the day if you are paranoid, you have to run 'apt-get source foopkg' and inspect the result yourself before you install it. I don't think this will ever change, for any operating system.
You may call all of this an exception to the rule, I just think all other operating systems are a waste of time.
AFAIR OpenOffice.org has its own installer still.
I wish dpkg could simply be ported to Windows, but for both technical and legal reasons it is probably impossible,
But I can't use Orca on an NSIS installer, or an InstallShield installer, etc. etc. Also it assumes that the MSI is just on the disk and not packaged up inside some other exe file (WHY do people do this!?!). Whereas an RPM or Debian package is just a package that one can always easily inspect to see whether it is capable of doing nefarious things (that is, the package itself--of course the packaged program may do bad stuff, but that is another problem that is solved by only installing software from a trusted source and/or auditing the package source).
Assuming you can get the devices to agree on encryption protocols and supported resolution. A few reboots usually does it.
The beginning of time called. It wants its old, tired joke back. And this one.
That's no good unless everyone *uses* MSI, though. And in my experience, no one does.
Even apps that do use it behind the scenes wrap it inside an exe that could do anything it wants before installing the package,
Mplayer was not a personal dispute. For a very long time, Mplayer could not be included because of the unclear licensing status of its code. Fortunately, that is all in the past--mplayer will be included in the forthcoming Debian 4.0 AKA "etch".
;) smiley. My comment was not 100% serious ;)
PS, note that I used the
Regmon and Filemon are useless--by the time you analyse the results, the program has already executed.
:)
FYI, the maintainer scripts can be any executable--nothing stops them from being binaries. But I doubt such a package would ever be accepted into the Debian archive.
Good point however about the postinst script executing a binary that was just unpacked by the package. Fortunately I don't worry about this since I can always run 'apt-get source foo' and examine the source for the foo package directly.
Hm, do you have any details about this for the lazy reader? I always wondered why you couldn't just emulate the TPM...
The key phrase there is RPM hell. You should have used Debian. ;)
Someone should make a spoof like this and put it on the tubes.
UAC gives you the ability to analyse every priviliged action that the dodgy third party application you are trying to run is trying to take. Until I read this article, I thought it was a pretty good idea. Now I see that MICROS~1 have fucked up yet again, and made it absolutely useless in the real world (the default configuration).
Synaptic will only install software from the safe Ubuntu archive by default. By contrast, Vista will run untrusted third party software with full administrative priviliges by default.
I really thought that finally, MICROS~1 had got their act together and fixed their fucked up security system. I guess I was wrong.
You should be more precise.
Deleting a shortcut that the user does not have permission to delete brings up the popups.
In previous versions of Windows, and other operating systems, the user would simply be told that they do not have permission to delete the shortcut, tough beans.
Why does Photoshop need to mess with system files?