Re: risks of using net apps as a user in wheel or adm?

To: debian-user@lists.debian.org
Subject: Re: risks of using net apps as a user in wheel or adm?
From: Joe <joe@jretrading.com>
Date: Sun, 04 Nov 2007 19:23:47 +0000
Message-id: <[🔎] fgl684$gp$1$8300dec7@news.demon.co.uk>
In-reply-to: <9luFB-2Pr-11@gated-at.bofh.it>
References: <[🔎] 20071102171958.GB7681@titan.hooton> <[🔎] fgg4sf$d82$1$8302bc10@news.demon.co.uk> <[🔎] 20071102231741.GN12370@localhost.localdomain> <[🔎] fghj90$reo$1$8302bc10@news.demon.co.uk> <[🔎] 20071103170314.GQ12370@localhost.localdomain>

Andrew Sackville-West wrote:

On Sat, Nov 03, 2007 at 10:41:35AM +0000, Joe wrote:

Andrew Sackville-West wrote:
On Fri, Nov 02, 2007 at 09:29:51PM +0000, Joe wrote:
Microsoft Update and apt-get are probably as close as you get, and Iwouldn't bet a large amount of money that either is 100% safe. One day MUwill get hacked, and the whole world will collapse.
wow, that's quite a comparison: Microsoft Update which will secretly
upgrade stuff on the system even when explicitly told not to versus
apt-get which must be explicitly told what to do and then asks "are
you sure?" And I won't even go into the parts where you get to look at
apt code...
Frankly I hope MU does get hacked (if it hasn't already) because some
people need to learn some lessons, not the least of which is MS itself
for releasing such tragically flawed software to begin with. Note thoughthat I do not wish ill upon the poor users of this
product... merely that the PTB's over there would get a clue (and yes
I know many of them do have a clue, just not enough or the right ones).
Ah, I wasn't comparing operational use,


fair enough...

just the systems as beingreasonably tamper-proof methods of delivering software from the originalsources to the user.


see, there is a significant difference here. MU allows kernel level
software upgrades to be loaded into the system without admin
intervention or knowledge. So it appears to me that MU is *not*
reasonably tamper-proof and is infact designed to be tampered with..

The vast majority of downloaded software comes fromunidentifiable sources via paths which are relatively easily hacked.


The vast majority of whose software? All mine comes from signed

archives with keys that I can verify.

The MU issue is simply one of monoculture, not software quality.


I disagree. The whole MU issue is about fundamentally flawed ideas
 about software. The software produced from a flawed concept (that its
 okay to have some party arbitrarily install kernel level software
 remotely without admin interaction) is flawed and not quality
 software.

If 90% ofthe world's PCs used apt-get daily, the repercussions of malware smuggledinto major packages would be just as serious as an MU hack today.


Yes, except again, if the apt repositories were compromised, we would
still have the option to not bother typing apt-get upgrade (once the
news got out, of course. Some would surely still fall...). If someone
hacks MU, then that hack can be distributed automatically to every box
to be automatically installed even if the admin has turned off the
automatic install "feature".

BTW, I'm not sure that we're actually arguing here. It maybe that I
just don't understand what you're saying :)

It was to do with the original point, active client-side content of webpages, really. This was the 'vast majority of downloaded software' Imeant, and was contrasting it with the distribution of systemexecutables, which is done relatively safely. Microsoft may not be asethical as we would like, but so far the actual distribution system hasremained fairly tamper-proof. Whatever malicious software ends up in themachine is exactly the malicious software that Microsoft meant todistribute. And if the use of apt reached Windows-like proportions, howmany people would manually invoke it each day? How many would scour theInternet for half an hour first, looking for evidence that the pendingupdates were safe or not?

My point was that the mass of JS, Flash etc. which is taken as a normalpart of web browsing, is as Doug said back in the beginning, theexecution of someone else's programs on your computer. I'm not convincedit's the right way to be going, and I'd like to see the processing doneon the server, with only the client's screen being affected by theresult. I doubt that many Linux users would disagree, it's always beenthe Windows world that has pushed the PC as an entertainment machine,owned by Microsoft and the other software writers rather than the personwho paid for it. A few more attributes of html tags would in my mind bepreferable to requiring JS for quick entry validation, for example. I'ma bit uneasy that even banks seem to find JS indispensable, when for thekind of simple user entry processing involved, it certainly isn't.

And while I'm a user of Windows, and indeed a Microsoft Partner, it'spurely for economic reasons. I sup with the longest spoon I can find,and I've yet to find a good word to say about the company itself. Buthey, I deal with my government, whose ethics are lower still.

Reply to:

Follow-Ups:
- Re: risks of using net apps as a user in wheel or adm?
  - From: Andrew Sackville-West <andrew@farwestbilliards.com>

References:
- risks of using net apps as a user in wheel or adm?
  - From: "Douglas A. Tutty" <dtutty@porchlight.ca>
- Re: risks of using net apps as a user in wheel or adm?
  - From: Joe <joe@jretrading.com>
- Re: risks of using net apps as a user in wheel or adm?
  - From: Andrew Sackville-West <andrew@farwestbilliards.com>
- Re: risks of using net apps as a user in wheel or adm?
  - From: Joe <joe@jretrading.com>
- Re: risks of using net apps as a user in wheel or adm?
  - From: Andrew Sackville-West <andrew@farwestbilliards.com>

Prev by Date: Re: Search for BTN based software
Next by Date: Re: Contacts printing
Previous by thread: Re: risks of using net apps as a user in wheel or adm?
Next by thread: Re: risks of using net apps as a user in wheel or adm?
Index(es):
- Date
- Thread