Coding quality and exploit mitigations aside, there's something to be said for the size of the software that you're installing. The more code that's there, the more there is to attack. If you're using Reader, you might ask, why is there a 3D rendering engine in my PDF reader? Or maybe even do something about it.
I tested 3.4.4 and 3.3.4 (Latest on website now) and I couldn't even find auto-update functionality. Though I can see update functionality mentioned in the documentation: http://help.libreoffice.org/Common/Online_Update
So either they've pulled the functionality, or I'm looking in the wrong place.
The CA architecture as it is used in web browsers is only as strong as its weakest link. It only takes one compromised CA to make the whole system worthless. Having thousands of CAs would make the problem significantly worse.
You say this as if there is a significant number of people who fall into the category. Or as if it's a bad thing. Most people do have things to hide. Like a credit card number, for example.
If part of your archiving strategy is to burn data to disc, make sure that you pad those discs with dvdisaster error-correcting data. Optical discs generally fail in a way where only part of the data is unreadable. Without extra error-correcting data, then those parts are gone forever. However, with dvdisaster, you'll: 1) Know when a disc is failing before it's too late 2) Be able to recover the data 3) Be able to migrate the data to fresh media
Did you consider that old versions of Skype contain vulnerabilities? So how is this much different than Google pushing out Chrome updates that fix vulnerabilities?
Firefox 4 was a huge step backwards from a UI perspective (no more status bar, stupid scrolling tabs with no trivial way to shrink widths, etc.). This would be just another step in the (wrong) direction that they're going.
If the link is shorter, then I wouldn't call it a fake URL shortener. I think I more sane explanation of what is going on there is that spammers are using redirectors to avoid detection by users and URL-shortening services.
You must realize that shutting down the government is not a money-saving act. It is actually much more expensive to shut down the government than to keep it running.
Can we keep the logical fallacies out of this? Making any accurate generalization about the robustness of software would require extensive testing. For example, one could perform a fuzz testing campaign against both Microsoft Office and OpenOffice and compare the results. And even then, the conclusion would be an extrapolation of the functionality that you tested.
Concluding that Microsoft Office is flaky because Abiword saved you once in 1996 is naive to say the least. I'm not defending Microsoft or Oracle or LibreOffice or Abiword, etc. But to rate software robustness based on a small amount of anecdotal evidence is irresponsible.
If you are archiving to optical discs, make sure that you use dvdisaster: http://dvdisaster.net/
It allows you to utilize all of the unused (otherwise wasted!) space on a disc with distributed error-correcting data. It is free, cross-platform, and trivial to use. As an experiment, I burned a dvdisaster-padded CD-R and made a deep scratch on the surface with a key. Dvdisaster was able to recover the data without any trouble.
Yes, I do remember writing that article in 2008. Thus the "Nothing new here" comment. What specifically has changed since then? Have they significantly changed the security dialog? Or changed the default behavior of trusting all applications from the signing vendor? Or implemented a killbit-like blacklisting of bad applets?
Windows XP users are left out in the cold. Between the lack of sandboxing like low-rights IE or Reader X, or other mitigations like ASLR, Windows XP is turning out to be a dangerous platform to use.
Slashdot Mirror
I wrote it years ago, but it's still quite relevant:
http://www.cert.org/blogs/certcc/2009/06/vulnerabilities_and_software_a.html
Coding quality and exploit mitigations aside, there's something to be said for the size of the software that you're installing. The more code that's there, the more there is to attack. If you're using Reader, you might ask, why is there a 3D rendering engine in my PDF reader? Or maybe even do something about it.
So FTP, Bittorrent, RTSP, are not covered?
... for certified seafood.
I tested 3.4.4 and 3.3.4 (Latest on website now) and I couldn't even find auto-update functionality. Though I can see update functionality mentioned in the documentation:
http://help.libreoffice.org/Common/Online_Update
So either they've pulled the functionality, or I'm looking in the wrong place.
And they haven't done anything about it for years, either.
http://blogs.oracle.com/malte/entry/evilgrade_and_openoffice_org
The CA architecture as it is used in web browsers is only as strong as its weakest link. It only takes one compromised CA to make the whole system worthless. Having thousands of CAs would make the problem significantly worse.
You say this as if there is a significant number of people who fall into the category. Or as if it's a bad thing. Most people do have things to hide. Like a credit card number, for example.
If part of your archiving strategy is to burn data to disc, make sure that you pad those discs with dvdisaster error-correcting data. Optical discs generally fail in a way where only part of the data is unreadable. Without extra error-correcting data, then those parts are gone forever. However, with dvdisaster, you'll:
1) Know when a disc is failing before it's too late
2) Be able to recover the data
3) Be able to migrate the data to fresh media
http://dvdisaster.net/
This issue has absolutely nothing to do with OSX.
Only half of Facebook suffers setbacks?
Um, no. Am I the only one who thinks this is a bad idea?
I mean, look at how well it worked out for DIVX.
Did you consider that old versions of Skype contain vulnerabilities? So how is this much different than Google pushing out Chrome updates that fix vulnerabilities?
Firefox 4 was a huge step backwards from a UI perspective (no more status bar, stupid scrolling tabs with no trivial way to shrink widths, etc.). This would be just another step in the (wrong) direction that they're going.
If the link is shorter, then I wouldn't call it a fake URL shortener. I think I more sane explanation of what is going on there is that spammers are using redirectors to avoid detection by users and URL-shortening services.
Nothing to see here.
You know... there is a fix for that.
You must realize that shutting down the government is not a money-saving act. It is actually much more expensive to shut down the government than to keep it running.
Can we keep the logical fallacies out of this? Making any accurate generalization about the robustness of software would require extensive testing. For example, one could perform a fuzz testing campaign against both Microsoft Office and OpenOffice and compare the results. And even then, the conclusion would be an extrapolation of the functionality that you tested.
Concluding that Microsoft Office is flaky because Abiword saved you once in 1996 is naive to say the least. I'm not defending Microsoft or Oracle or LibreOffice or Abiword, etc. But to rate software robustness based on a small amount of anecdotal evidence is irresponsible.
If you are archiving to optical discs, make sure that you use dvdisaster:
http://dvdisaster.net/
It allows you to utilize all of the unused (otherwise wasted!) space on a disc with distributed error-correcting data. It is free, cross-platform, and trivial to use. As an experiment, I burned a dvdisaster-padded CD-R and made a deep scratch on the surface with a key. Dvdisaster was able to recover the data without any trouble.
It's quite brilliant software!
Yes, I do remember writing that article in 2008. Thus the "Nothing new here" comment. What specifically has changed since then? Have they significantly changed the security dialog? Or changed the default behavior of trusting all applications from the signing vendor? Or implemented a killbit-like blacklisting of bad applets?
It's been known for a while (among those in the security field at least) that signed Java applets have been a concern. A little more info:
http://www.cert.org/blogs/vuls/2008/06/signed_java_security_worse_tha.html
Well that's just great! You're telling me it's not safe to lug my HDTV into Starbucks anymore?
But you should be able to view a cached copy here:
http://connectify.blogspot.com.nyud.net/2010/12/why-leather-cover-crashes-kindle-3.html
Not sure if the change was intentional or what.
I'm confused. So they were on the Ark or what?
Windows XP users are left out in the cold. Between the lack of sandboxing like low-rights IE or Reader X, or other mitigations like ASLR, Windows XP is turning out to be a dangerous platform to use.