Posts by eulampios

@h4rm0ny

I said that GNU/Linux would be pretty much the same malware-wise if it had the same user-base as Windows. That's not a dig at GNU/Linux, that's a simple and supportable opinion.

That's your theory, a hypothesis. It might not be true though.

Is it that you're forgetting the fact that you have to type in your password more times with Debian updates than for only two apps (FF and IE) in Windows. 2 vs all? Would you also prefer have an important, security update available ASAP than once a month? Please answer these questions:

-- there are only two pieces of software that needs updates, and/or

-- all the rest software stays magically updated without you needing to type in any passwords?

-- you can get updates for the 99.999% of installed apps, just like in Debian ?

-- updates for 3-party software are taken care of by a central packaging Windows system that installs, verifies the authenticity and integrity, checks for dependencies, keeps records for, notifies about and performs the updates when available of every piece of software

--Microsoft after all those long 20 some years has finally built itself a repository/store where you can securely install and update all apps and dlls?

If this is not completely true you might need to reconsider your little "congruency" theory, I suppose.

@JDX

No, the bias is in this generality that all OSes being counted were obtained the same way. No, they aren't, and we both know this well, don't we?

Probably 99.9% of manual Windows installs are done on machines which came with Windows in the first place.

Yes, let's count all the manual installs.

Re: Apples & Pears

this is right, however, the most popular non-static content is PHP. Nginx handles it perfectly via fast cgi. This is also true with Perl, Python, Ruby. AMOF, my toy Perl cgi scripts run very well indeed.

@Slawek and dogged

And why do you assume that all "members of community" have benevolent intentions?

Just the mere statistics. The Law of Big Numbers (quite an important topic in Statistics and Probability Theory) The fact that with an open code given enough popularity for the project, the chances are higher than in the case when it is proprietary.

@dogged

Why do you have to trust all developers? A few people might be enough to spot mistakes or malevolent intentions of those you don't trust. Once again, no code is available to examine, change and redistribute, you have to have a trust to one entity? How reliable is that?

Okay, who do we trust? Say, Adobe flash player, pdf reader? Yes, sure. No malevolent intentions are needed.

A suggested list

Evidence? Try taking similar proprietary product and the one with the source code freely available. Compare their performance, stability, popularity, security, scalability, versatility, flexibility, portability, availability, ease of use, ubiquity, adherence to the main principles of IT etc.

Say,

1) Linux kernel, Free,Open,NetBSD, Darwin vs. NT kernel

2) vim, GNU Emacs vs notepad ;) okay, you can take Visual Studio editor

3) a GNU Linux, a BSD distro vs. Microsoft Windows

4) gnu bash, zsh etc vs. power shell

5) Apache, nginx vs Microsoft IIS

etc

So what do we get here?

Re: there is a gnupg though

Note that GCC C does not issue a diagnostic for the GnuTLS or Apple SSL/TLS bugs even with "all" warnings enabled.

And which one that could compile them both would? For as many architectures?

there is a gnupg though

a very popular product, even the diehard jobsians, BSD-only, gpl haters cannot live without. There is also a gcc that is still the best compiler. Those allergic to gpl, gnu and FSF are creating their own clang compiler....

Re: @AC

None of your links talk about successful exploitation of getting a root. The first of them does mention an escape from the sandbox on the browser (very old one, applicable only to devices prior to Android 2.2) AMOF, MS Windows had no mandatory app sandbox mechanism (at least until Windows 8). So, again nothing specific.

Sure - but Linux has historically had some of the highest vulnerability counts of any OS (approaching 1,000 known holes in the kernel alone)

So, what is counted? Without weighing severity of each bug, one cannot say just by looking at the number. Does it apply to ALL versions of Linux, all or most generic configurations, architectures or not? You see you apply the monolithic Microsoft measure to this. MS kernels or whatever they call kernel cannot be configured in many gazillions ways with various options (like built into or as separate etc module). There is many more architectures and so many more current and extant versions of Linux kernel out there than for any other OS. Heterogeneity of Linux distros and Linux kernels diminishes that number substantially.

Re: @AC

IE has a 75% market share of PC users

According to various statistics IE's market share fluctuates around 25%. Not sure where did you get the 75% number. It's pretty unlikely, if the 25% estimate is correct since Firefox, chrome et al are also counted for PC users.

but there certainly have been previous exploits that have rooted Android via the browser,

Links please, or do you mean a browser/Android exploit together with the privilege escalation exploit of the Linux kernel can render that. That is theory, a possibility, yet it doesn't mean it had been ever demonstrated.

hat has sucessully attacked OS-X / Linux via the browser

So again, you're trying to make it sound like it had happened.

Potential, yet a very unlikely situation. Did you follow our own links and saw that this java trojan would write itself /etc/init.d? How well do you know Linux-based systems to run web browsers as root?

A java browser plug-in exploiting a patched java vulnerability?

I am not using java plug-in, even most people don't use it nowadays (FF turns it off by default). JS is more of headache due to a much heavier use, FF's user are still more safe with noscript...

Re: @AC

... but that company X fixes a problem with their browser faster than company Y doesn't even scratch the surface of what each company did to make the fix.

Since IE is a fully proprietary software, don't even guess what they are trying to do. Even Google's Chrome get their patches surfaced in the free Chromium.

Dear AC, you said that MS is faster to fix security bugs on IE than Google is on Chrome. You didn't provide any links for this allegation. I mentioned a few cases where MS was very slow. So are getting any links or not?

It also doesn't mean that Google and Mozilla tested their fixes with the same amount of hardware/software combinations to make sure that they worked.

Neither does it mean the converse. Should I be reminding you that Mozilla's Firefox and Google's Chrome run on the much wider scope of hardware and operating systems?

In general, MS takes too long to fix bugs and still get into trouble, say, when a few Windows systems wouldn't boot after a kernel patch. No, it's not the problem of those who patch it, it's the fundamental problem of the OS underpinning going against the modularity principle. AMOF, a faulty kernel update on a GNU/Linux system could easily be circumvented by booting into the old kernel. Sorry to break your Redmondian bubble.

@AC

How is that possible for MS to be faster with a scheduling it Tuesday every month? It would be interesting to see the analysis of the average time before fix. However, according to wikipedia, FF in 2006 was much faster in fixing than was IE , while having less security vulnerabilities than the latter. I also remember a few incidents on pwn2own, when both Mozilla and Google had patched their flaws almost immediately after the competition was over, while it took more than a month for MS to do a similar task.

As of the exploited vulnerabilities in the wild, Chrome was has yet to be mentioned, it's primarily MS IE that is exploited. On top of that, Firefox got the noscript plugin that makes overwhelming majority of exploits virtually useless.

It should also be emphasized, that the exploits both working exploits and exploits in the wild have been demonstrated on the MS Windows, not GNU/Linux, Android, FreeBSD etc. So, MS has to be born in mind and always mentioned as a responsible party.

not completely correct

I do agree with you, though, would like to say that Google approval doesn't have to do with Google Play, formerly known as Android Market. This might be true about the Google Play as an app itself, where you search for an app, install it etc. However, I would doubt that too. There is no such limitation. Moreover, one can use GP on even a few Blackberry devices.

Re: Linux Support

No - it's just as simple to exploit Flash under Linux.

Is it easy to say, or easy to do?

Have you written it for this one already so we, Linux desktop users, aka ghosts, could all try? E.g., on this system LMDE, with the kernel being 3.12.9-custom+, x86_64 GNU/Linux .

Thanks in advance.

@AC: not very plausible figures...

Actually there is LOADS of Android malware out there, and about 0.5% (1 in 200 devices) are currently infected:

AC, your zdnet link points to the article that mentions another "Alcatel-Lucent report" stating your figures. Well, if the memory doesn't fail me it's one of the first attempts to count the actual number of trojaned android systems. However, the mentioned methodology is not very convincing to say the least. No details are provided, yet according to their own paper:

To accurately detect that a user is infected, our signature set looks for network behavior that provides unequivocal evidence of infection coming from the user’s computer. This includes:

Although for Windows all of those methods might be eligible, for Android it could only be #1, thanks to the Android's separation between apps. Other usual revelation of a malware activity they talk about is texting or even placing calls, yet they cannot intercept it.

Okay, so, it's from their sample a .5% of Android devices they found to engage in some C&C communications? Can we do it globally and monitor it world-wide? Yes, why is it not detected world-wide that a .5% of a billion (or more), some 5 million devices are flooding the Internet? Moreover, no figures of those activities seem to exist outside of the Kingsight's vigilant sight, because those might indeed be negligible or non-existent.

here's another quote: The table below shows the top 20 Android malware detected in Q2 in the networks where the Kindsight Mobile Security solution is deployed...

Kingsight seems to be able to not only detect so many C&C communications, they can easily distinguish between the actual species of trojans... No details of this innovative approach is attached with the report though...

Is it a scientific finding? To me it rather looks like another AV scaremongering ad.

@AC

If you're going to write a virus you target the biggest OS.

For this very purpose you might also make sure to choose the arguably most fattest and messiest OS available.

Re: How quickly we forget

Blarkon, it might be because Google has never done it before. They only counter-sued as a response when some other companies (let's not name those ones from Redmond and Cupertino) having sued Google exactly for patent infringement.

Re: Crazy Platform

Indeed boring for a Windows-oriented mind. Too much simplicity, order and too little mess, bloat and room for the MIcrosoft-type creativity .

Android is riddled with money stealing malware that no-one is doing anything about

In you dreams and imagination it might be. Android malware are always presented in numbers that are available for download (usually outside of Google Play). No numbers of successfully installed ones are ever given., unlike with MS Windows where we almost always know an estimate for the number of PC to suffer from a particular malware.

I don't care if it's design is any good or not, the end result is that there's a shed load of Android malware.

Right, good design is detrimental, let's rewrite the postulates of modern IT... How big is this shed that gets to actually infect?

(Anti) Virus software is an afterthought, and the result of many Microsoft's blunders, it's not a good idea after all.

Re: Crazy Platform

bazza, you seem to not understand. Android, unlike any version of Windows, isolates apps giving them separate uid's and thus has them running in a sandboxed env. Each uid routinely joins various groups with different permissions. These permissions are also transparent to a user.

All apps are pretty much equal and cannot have higher privileges over each other. An admin (the user) or root can go over their heads. You cannot simply allow an app on an unrooted system to do just that.

All those features combined is a good measure against malware already.

This is why Windows is so vulnerable and helpless against viruses and trojans. MS Windows is the one that is crazy.