I haven't read how this softare works yet, but I can explain a bit about how a very similar piece of software called Mute works.
The paths between the sender and receiver are of variable length, between 2 and 5 links. If you are C and you receive a query for a file from A, you cannot be sure that A was the start of the chain. More often than not, A was simply forwarding a query from someone else. There is no easy way to see where the query originates from, even if you own a relatively large number of the nodes on the network.
They captured YOUR IP as being part of the download transaction, so its YOUR IP they'd file suit against.
And they would lose.
They cannot sue people for providing people access to information. If they could sue for allowing copyrighted files to pass through a computer, they could just go straight to the ISP and sue them, since all copyrighted data goes via the ISP's hardware a least once. Obviously no court will ever let them get away with that.
So no you don't have to wait until it is officially supported. If there is no ebuild in portage, you can:
Download the ebuild directly from the project page and put it in your local repository.
If the project does not supply an ebuild you can search the net for one.
If you are the only Gentoo user using that package, you can always write your own ebuild and put it on the web for others to use.
The sandbox protects you from malicious installers, but you still need to be on your guard for malicious ebuilds. Luckily ebuilds are plain text and usually short, so you should give them a read if you don't trust the source.
I use windows XP all day long...I'm hooked up on the internet and surf and download and blah blah blah all day long. Not once have I been hit with a virus or a trojan or an email attack.
That's hard for me to believe, but you sound like your above average and maybe you just are extremely careful. Either that or you have been infected with a root kit and just haven't noticed it yet? OK, I'll give you the benefit of the doubt. I will believe that you never have had a virus on Windows. But then I read this....
And everyone I personally know is lucky also as they've had the same experience.
OK now I don't believe you any more. Nearly all of my Windows using friends has had a virus at one point or another. Usually they didn't even realise it, and it was me that had to clean their PC. I either think you are lying or else you don't really know anyone at all (or they all use Mac / Linux).
Gentoo installs first in an isolated sandbox (a fake root) which prevents a malicious installation program destroying the system. When the installation program is complete, portage finds the files which were installed into the sandbox and copies them across to the real system, keeping a note of which files belong to the packages, so that they can easily be removed later.
So although the problem of installing packages without wrecking your system has been solved already.
Out of interest, how do other distros approach it?
Cuban is saying the most anyone could steal is $5.000 per month
Actually, stealing means physically taking someone's possessions away from them without their permission. If you infringe a copyright, you are not depriving anyone of their own copy, so it is not stealing.
According to the RIAA's statements, they are pursuing those guilty of piracy
Actually, piracy means... oh never mind. Let's just hang all those murderous copyright infringers! Arrr!
A lawsuit with no evidence is not going to get very far. How will you prove that information is not secured? You would have to test it by trying to break in, in order to prove your case. That is what the students should have done, then after they have the evidence, they should go to court.
To do a proper comparison, you should rate each individual vulnerability, based on: how critical its is, if there was an exploit released, how long it took to patch, etc.
Just saying 81 > 17 is not an accurate comparison at all. How do you know that the 81 vulnerabilities in IE weren't all very minor things? Have you checked? Adding in a fudge factor doesn't make up for not knowing the facts.
Also IE has been around for a lot longer so of course there has been more time to find more exploits.
On the other hand, having a lot of vulnerabilities discovered and patched is a good thing. If a large team of enthusiastic hackers sat down and combed the Firefox source code maybe they could find and fix 100 bugs. Would you suddenly turn around and say that now IE is more secure because Firefox have patched more bugs than IE? Of course not. But your x > y rule would suggest that.
I have nothing against comparing security of different browsers, but there are better ways to do it than just comparing the number of advisories released by one company.
I happen to remember that amongst the 81 vulnerabilities there are quite a few extremely critical vulnerabilities and some of these went unpatched for months, and there is still one that is unpatched. That, in my opinion, makes Firefox more secure than IE.
According to Secunia, Firefox has 17 advisories. But this does not equal 17 security errors, since many of them are 'multiple vulnerabities'. Similarly for IE.
You must also look at the number and criticality of currently exploitable bugs, and the typical speed of the vendor's response.
In Secunia's own words:
Please Note. The statistics below should not be used for a direct comparison of how secure two different products are. This is partly due to the fact that a Secunia advisory often cover multiple vulnerabilities. Also certain operating systems bundle a very large number of software packages and are therefore affected by many vulnerabilities that would be counted as a vulnerability in stand alone products for other operating systems / platforms. Other factors such as vendor response times and ability to properly fix vulnerabilities is also important.
It's open source - you don't need to buy it, just download it, make a fork, and rebrand it as whatever you want. $0 and perfectly legal. Somehow I don't see it happening though.
The two sites "update.mozilla.org" and "addons.mozilla.org" are trusted by default, and the exploit only requires these default trusted sites.
The web page first tricks Firefox into installing a trusted extension (vulnerability 1). Then it takes advantage of an vulnerability during the install process (vulnerability 2).
Separately these vulnerabilities are not that worrying, but combine them, and you have a problem.
Yeah... whatever. I don't mind if you would rather use a browser with a known serious security problem, but saying that IE has no known serious issues is misinformed.
This is the first Firefox exploit that has received the rating 'Extremely Critical'.
--- Extract from Secunia's site ---
Description: Two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system.
1) The problem is that "IFRAME" JavaScript URLs are not properly protected from being executed in context of another URL in the history list. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.
2) Input passed to the "IconURL" parameter in "InstallTrigger.install()" is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL.
Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org").
A combination of vulnerability 1 and 2 can be exploited to execute arbitrary code.
NOTE: Exploit code is publicly available.
The vulnerabilities have been confirmed in version 1.0.3. Other versions may also be affected.
It's actually harder (and takes longer) for me to type "u" to mean "you" than it does to type "you" because I have to throw my brain into idiot mode and override my normal typing skills to get idiot-speak onto the screen.
I used to have trouble typing 'u' too, but I have found a simple solution. Just set up an auto-replace rule which changes "y-o-u" into "u" automatically. It works for me.
If once the discovery's done IBM is able to prove that SCO's case is frivolous or some such, or countersues, or something, can IBM get SCO to pay them back for the cost of collecting this evidence?
Do you actually think SCO will have any money left by the time this case is over? I bet this case only ends when SCO go bankrupt.
I don't know what it's like over there in the US, but here in Europe we have more than enough laws already. We should leave things to market forces.
A much better solution would be if the customers considered carefully each alternative before choosing which bank to go with. They should pick their online banking based on factors such as security, ease of use, and cross platform compatibility (to avoid locking themselves into one OS/browser by mistake). The information about the service should be easily available to allow customers to compare before they sign. If enough people do this, the banks which do not give what the customer wants/needs will go out of business, without a law being required.
Hmm... it's not going to work is it? Maybe I live in a too idealistic world.;)
No blaming Microsoft for this one. This time it is definitely the users' fault. The trojan simply sends a link to the contacts inviting them to download and run an executable.
And people still do it!? What will it take before people learn?
Slashdot Mirror
I haven't read how this softare works yet, but I can explain a bit about how a very similar piece of software called Mute works.
The paths between the sender and receiver are of variable length, between 2 and 5 links. If you are C and you receive a query for a file from A, you cannot be sure that A was the start of the chain. More often than not, A was simply forwarding a query from someone else. There is no easy way to see where the query originates from, even if you own a relatively large number of the nodes on the network.
Java is cross-platform. Linux / Windows / doesn't matter - it will work anywhere the Java runtime is ported.
I don't see how this piece of software has anything to do with Linux.
They captured YOUR IP as being part of the download transaction, so its YOUR IP they'd file suit against.
And they would lose.
They cannot sue people for providing people access to information. If they could sue for allowing copyrighted files to pass through a computer, they could just go straight to the ISP and sue them, since all copyrighted data goes via the ISP's hardware a least once. Obviously no court will ever let them get away with that.
So no you don't have to wait until it is officially supported. If there is no ebuild in portage, you can:
The sandbox protects you from malicious installers, but you still need to be on your guard for malicious ebuilds. Luckily ebuilds are plain text and usually short, so you should give them a read if you don't trust the source.
I use windows XP all day long...I'm hooked up on the internet and surf and download and blah blah blah all day long. Not once have I been hit with a virus or a trojan or an email attack.
That's hard for me to believe, but you sound like your above average and maybe you just are extremely careful. Either that or you have been infected with a root kit and just haven't noticed it yet? OK, I'll give you the benefit of the doubt. I will believe that you never have had a virus on Windows. But then I read this....
And everyone I personally know is lucky also as they've had the same experience.
OK now I don't believe you any more. Nearly all of my Windows using friends has had a virus at one point or another. Usually they didn't even realise it, and it was me that had to clean their PC. I either think you are lying or else you don't really know anyone at all (or they all use Mac / Linux).
Gentoo installs first in an isolated sandbox (a fake root) which prevents a malicious installation program destroying the system. When the installation program is complete, portage finds the files which were installed into the sandbox and copies them across to the real system, keeping a note of which files belong to the packages, so that they can easily be removed later.
So although the problem of installing packages without wrecking your system has been solved already.
Out of interest, how do other distros approach it?
Did anyone else's Firefox crash when visiting the parent's link, or is it just me? (Try refreshing a couple of times.)
Cuban is saying the most anyone could steal is $5.000 per month
... oh never mind. Let's just hang all those murderous copyright infringers! Arrr!
Actually, stealing means physically taking someone's possessions away from them without their permission. If you infringe a copyright, you are not depriving anyone of their own copy, so it is not stealing.
According to the RIAA's statements, they are pursuing those guilty of piracy
Actually, piracy means
A lawsuit with no evidence is not going to get very far. How will you prove that information is not secured? You would have to test it by trying to break in, in order to prove your case. That is what the students should have done, then after they have the evidence, they should go to court.
Oh wait... that's what happened.
I disagree.
To do a proper comparison, you should rate each individual vulnerability, based on: how critical its is, if there was an exploit released, how long it took to patch, etc.
Just saying 81 > 17 is not an accurate comparison at all. How do you know that the 81 vulnerabilities in IE weren't all very minor things? Have you checked? Adding in a fudge factor doesn't make up for not knowing the facts.
Also IE has been around for a lot longer so of course there has been more time to find more exploits.
On the other hand, having a lot of vulnerabilities discovered and patched is a good thing. If a large team of enthusiastic hackers sat down and combed the Firefox source code maybe they could find and fix 100 bugs. Would you suddenly turn around and say that now IE is more secure because Firefox have patched more bugs than IE? Of course not. But your x > y rule would suggest that.
I have nothing against comparing security of different browsers, but there are better ways to do it than just comparing the number of advisories released by one company.
I happen to remember that amongst the 81 vulnerabilities there are quite a few extremely critical vulnerabilities and some of these went unpatched for months, and there is still one that is unpatched. That, in my opinion, makes Firefox more secure than IE.
According to Secunia, Firefox has 17 advisories. But this does not equal 17 security errors, since many of them are 'multiple vulnerabities'. Similarly for IE.
You must also look at the number and criticality of currently exploitable bugs, and the typical speed of the vendor's response.
In Secunia's own words:
Please Note. The statistics below should not be used for a direct comparison of how secure two different products are. This is partly due to the fact that a Secunia advisory often cover multiple vulnerabilities. Also certain operating systems bundle a very large number of software packages and are therefore affected by many vulnerabilities that would be counted as a vulnerability in stand alone products for other operating systems / platforms. Other factors such as vendor response times and ability to properly fix vulnerabilities is also important.
When they can download it for free instead?
http://kernel.org/
It's open source - you don't need to buy it, just download it, make a fork, and rebrand it as whatever you want. $0 and perfectly legal. Somehow I don't see it happening though.
'Solution Status: Unpatched'
Following your own link, you can see that the exploit has been patched.
Huh?
Besides, even if that one is patched, there are many more unpatched vulnerabilities marked as critical, so my point still stands.
The two sites "update.mozilla.org" and "addons.mozilla.org" are trusted by default, and the exploit only requires these default trusted sites.
The web page first tricks Firefox into installing a trusted extension (vulnerability 1). Then it takes advantage of an vulnerability during the install process (vulnerability 2).
Separately these vulnerabilities are not that worrying, but combine them, and you have a problem.
In Firefox, to stop this vulnerability:
Web Features->Allow web sites to install software
I'll switch to MS IE as it has no known serious vulns
Internet Explorer Long Share Name Buffer Overflow Highly Critical
Yeah... whatever. I don't mind if you would rather use a browser with a known serious security problem, but saying that IE has no known serious issues is misinformed.
If you are running your web browser as root, and you get rooted, then it is your fault.
Don't run as root unless you have to.
Secunia have already released an advisory explaining how the exploit works:
http://secunia.com/advisories/15292/
This is the first Firefox exploit that has received the rating 'Extremely Critical'.
--- Extract from Secunia's site ---
Description:
Two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user's system.
1) The problem is that "IFRAME" JavaScript URLs are not properly protected from being executed in context of another URL in the history list. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site.
2) Input passed to the "IconURL" parameter in "InstallTrigger.install()" is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL.
Successful exploitation requires that the site is allowed to install software (default sites are "update.mozilla.org" and "addons.mozilla.org").
A combination of vulnerability 1 and 2 can be exploited to execute arbitrary code.
NOTE: Exploit code is publicly available.
The vulnerabilities have been confirmed in version 1.0.3. Other versions may also be affected.
Solution:
Disable JavaScript.
the patch management system in Firefox is so damn poor (ie. non-existant)
Pretty much any modern OS distribution comes with a package manager that handles upgrading for you. Time for you to upgrade your OS perhaps.
It's actually harder (and takes longer) for me to type "u" to mean "you" than it does to type "you" because I have to throw my brain into idiot mode and override my normal typing skills to get idiot-speak onto the screen.
I used to have trouble typing 'u' too, but I have found a simple solution. Just set up an auto-replace rule which changes "y-o-u" into "u" automatically. It works for me.
I hope this helps u.
17. You feel inferior deep inside but unable to admit it, you don't have a database as easy and powerful as Access.
Funny!
we're pumping the atmosphere full of food and [the vegetation is] growing like mad trying to eat it all..
:)
Very funny post
If once the discovery's done IBM is able to prove that SCO's case is frivolous or some such, or countersues, or something, can IBM get SCO to pay them back for the cost of collecting this evidence?
Do you actually think SCO will have any money left by the time this case is over? I bet this case only ends when SCO go bankrupt.
I don't know what it's like over there in the US, but here in Europe we have more than enough laws already. We should leave things to market forces.
;)
A much better solution would be if the customers considered carefully each alternative before choosing which bank to go with. They should pick their online banking based on factors such as security, ease of use, and cross platform compatibility (to avoid locking themselves into one OS/browser by mistake). The information about the service should be easily available to allow customers to compare before they sign. If enough people do this, the banks which do not give what the customer wants/needs will go out of business, without a law being required.
Hmm... it's not going to work is it? Maybe I live in a too idealistic world.
No blaming Microsoft for this one. This time it is definitely the users' fault. The trojan simply sends a link to the contacts inviting them to download and run an executable.
And people still do it!? What will it take before people learn?
Yeah, at least 110 million people use it:
http://bink.nu/Article620.bink