* Posts by eulampios

1248 posts • joined 10 Aug 2011

Microsoft frisked blogger's Hotmail inbox, IM chat to hunt Windows 8 leaker, court told

eulampios

@ cornz 1

the difference between Google and MSFT, as it now follows from it, is that Google throw ads at their customers, Microsoft throw their customers in jail.

Yes, who'd have thunk that, scroogled vs. screwed:

Hypocrisy (Frailty) -- thy name is Microsoft!

1
0
eulampios

it's not only his employer's mail server

it is also used by a few hundred other million people. Otherwise it would have been @microsoft.com, @redmond.com or @windows.com

This news should be advertised much more. Think about all those squandered millions on the "don't get scroogled" campaign? Yeah,

-- Google reads your emails on gmail, and if their scripts do it for them to serve you ads, our security stuff personally reads it on outlook/hotmail when we want to put you in jail! Still not willing to migrate from gmail to outlook?!

10
1
eulampios
Devil

@ Chris Miller and Khaptain

What sort of idiot employer and idiot employee are those?

It's a Microsoft's employee and his employer. Who is a lesser idiot? Well, I am not sure.

3
1

Hidden 'Windigo' UNIX ZOMBIES are EVERYWHERE

eulampios
Meh

@h4rm0ny

Okay, it seems that you're trying to sound superior to me and giving me a lesson here and there. I, on the other hand, was attempting to refrain from a pedantic tone.

What appears to me even before I got into this discussion (futile as I see, and it's not the first time we are disputing this over) with you is that your arguments are disingenuous at best.

Let me read how you rebuffed someone who brought up a few more arguments.

1
1
eulampios

Re: @h4rm0ny, permissions

I'm not really familiar with Android so I'm not quite sure what you mean

The implemented Android permissions system, where every app when gets installed acquires a unique uid, so all apps are separated from both the user's data and other apps. It routinely joins certain groups seen to the user as certain permissions groups at the install time. This is done to fight apparent insecurity of an app and the fact that it could be a trojan. With introduction of SELinux a user might get even more power of that to turn some permissions off even when installing an app and agreeing to them.

Even without the SELinux part this is very smart, yet it is based on the good ol' POSIX permissions system. So it is smart and simple.

I am pretty baffled in with the fact that you never heard about it.

My question is, why didn't Microsoft invent it, since they have been in need of this 2 decades ago. I don't think it's only "Dave Cutler's own allergy to Unix" business. It's more of a culture issue, what is good, what is smart and how smart, political is the one that actually makes decisions, I might be wrong though.

I was mentioning it to demonstrate that simplicity can lead to some very clever things (more complex but still simple enough).

My reason of mentioning AppArmor without SELiunux was based on the fact that AppArmor is more proper extension of the filesystem permission system, than SELinux. Not making any points which one of them is a better MAC implementation.

My point with Unix/Linux acl utility was that you can use a more fine grained access control mechanism if in need and when the simple system gets on your way.

0
0
eulampios

Re: Services, @h4rm0ny

I would like to clarify a little more on what I said earlier.

1) free and/or open source:

Security through obscurity has been demonstrated to be a fallacy time and again. Moreover, dangerous bugs in proprietary apps are spotted through the reverse engineering usually. So, it's an exploit gets ready before you get a chance to see a code (especially, for someone that wants to patch it before MS or any other owner finds time and resources to do it for you and get it shipped)

2) when people question the advantage of the code being available for study, they perhaps might have something different than me (and many other people) in mind. So what do we have here? Linux kernel that surpassed any proprietary kernel implementation in so many categories. And BTW, the only way you can defend proprietary implementation of a particular project is to compare the binaries performance. And what can we compare? The abominable Flash-player vs mplayer or vlc? adobe pdf reader with evince/atril, kpdf etc?

In more details -- 64 bit skype version for GNU/Linux vs gpl-ed linphone. I got several 64bit Debian (and Debian systems here). Whenever I install skype, MS offers a 32bit version only. I have to use a multiarch option for it and install a whole lot of i386 libs (the apt does it for me) Perhaps due to this fact, I can't get the sound properly, you get so many sound devices and options in the options->sound devices tab, so it's a poor non-user-friendly, which doesn't work reliably anyways. To compare it with linphone available for most architectures for bot 32 and 64 versions. Works flawlessly out of the box. BTW, it's not the only case of a proprietary code that has portability issues. What that tells us? Without looking at the particular source code, one might observe a design problem, as I mentioned earlier, perhaps the developers could not distinguish all modules that should be separated. Do you have another hypothesis why MS cannot bring their code in order?

This is a response to your "That I flat-out reject as straight bias. You're just stating that GNU/Linux programmers are better than MS programmers..."

I'm trying to remember the last time I actually compiled my own kernel and I'm pretty sure it was about three years ago...

I do it regularly, it's no rocket science and is easily automated. The only obstacle is the hardware that builds, it better be a multicore recent system, like one of my machines I utilize for it spends about 10 mins to do it. More importantly, that you conveniently forget or talk this issue down. Don't you know that different distributions use different configs with different options turned on and off? There are a lot of intersections, yet they are not quite identical. Let's take an example of the last CVE, CVE-2014-2523 found in the Linux source code. If you look and see which distros and versions are vulnerable, you'd find no common denominator: most generic kernels shipped have this dccp protocol option turned off. Mine is on though (I am using a customized 3.12 version from Debian sid). Let us now try figuring this out for Windows. Do we have any variations in the kernel among the current up-to-date version? There might be some between XP, Vista, 8 and 8.1. Not as many as with the Linux versions even in the 3.* range, and none withing the same version of OS or kernel as a particular Linux kernel version can have.

If this is not a great advantage, I don't know what is for you? I mean, if you do not recognize heterogeneity as a huge advantage before homogeneity from the security stand point, we have different views here.

That's pretty much just a restatement of your previous point...

Not necessarily, the kernel is one thing, particular setups may not have to follow it. Once again, MS have/has been deaf for quite a long time to various remarks about their weakness as no way to strip a system down to a bare minimum before. They now recognize that and are talking about lowering the attack surface. And they are getting better, yet still not quite the same place where Debian and most other Linux and BSD distros have been for decades already.

Yes, a million different variations are great for consistent security and making sure your fix for your software is on all platforms in all the different packages. Surrrrre.

It's a flawed argument in my opinion. My counter to this is that had never been a problem in the past. Or you know any examples where this was a case? Committing a patch to all versions of the kernel are absolutely not a big deal, thanks to git. Distros are even faster to patch very important vulnerabilities. If we're talking about the kernel again. No waiting for the Tuesdays patch, remember ? :)

Again, you're shifting things into a weird game of My Team scores more points than Your Team...

If you didn't get it, I'll reiterate it for you, now it makes more sense after you have praised MS acl in your other comment, I would like you to come back to the Android open source realization of what MS should have done to fight so many trojan issues. No they didn't invent it, neither they touch upon many other categories. I mentioned them aplenty above. And BTW, the ultimate incentive for MS and most other proprietary entities are making as much money as possible. MS is a huge company, they probably have many talented programmers and designers (I mean, project and software designers). They also have as many or more managers, lawyers, financiers that have very different agendas than producing a good code and design. No, am I wrong? Didn't they try to "implant IE into the OS" to make non removable? What about the Vista to require more resources to make people upgrade to higher end hardware? What about their decisions in security, like ease of Auto-Play/Run? The decision to hide API's, poorly documenting them? To not ship products for alternative OSes damaging the design decisions so many times (remember 64 bit rewrite issues)? Deliberate incompatibility with other competitors products in their own? If this doesn't appeal to you, I apologize...

0
1
eulampios

@h4rm0ny, permissions

Are we looking at and talking about the same thing really?

Correct me if I was wrong about the xp nightmare with the privileges gone wild? Even if it was improved in the higher versions of Windows, it has still brought a lot of damage as the most popular version of MS Windows as of recent.

Correct me also if it is true for every even modern version of MS Windows to not require any explicit privileges of a file to be executable? The system or shell decides whether it is or not and judges about it by looking at the extension of the file? No need for prompts like in your case with XFCE, (not in mine with the Mate desktop).

When you talk about overkill in Linux or *BSD, what exactly is it?

Have you heard about AppArmor or acl utility?

Does Windows acl solve the same problem Android extension of the apps permissions addresses?

0
1
eulampios

@AC

You reminded me about a few more things, sir/ma'm:

-- Simplicity, in other words effectiveness: if things are smart, they must be simple, feasible, usable, otherwise they are overly complex, not effective, simply useless (the KISS principle is in action)

One such implementation of it is the POSIX file permission system that is easier, more simple than MS Windows. Hence, they are more usable and more used. On the other hand can be extended to acl, MAC system or Android extensions. Remember how messy it was with Windows XP?

0
1
eulampios

Re: Services

What makes GNU/Linux more "secure by design" than modern Windows (i.e. 7 or 8).

There are a few things that you (I guess, pretend) to have never heard about. I might recommend you to go back to some classical text on this. Most of the tackled material remains true to this day, IMHO. Okay, let me provide you my own proof of the "Pythagoras Theorem", ... I mean, my own take, a list of my own. I promise you to not use this Euclid's own masterpiece

a list:

-- most software on GNU/Linux is free/open source, including the kernel and utilities;

-- the kernel is modular, where a huge number of options are togglable at the compile time;

-- various system pieces are mutually interchangeable; many different combinations exist out there, say, quite a few GNU/Linux, BSD, the hybrids of the latter, Android etc;

-- a GNU/Linux (*BSD) system can be stripped down much further, disassembled and assembled with much more ease, than can be Windows. MS Windows didn't invent a headless, bare minimum server; A Core Server -- things are improving in Redmond here after 20 some years of denial.

-- more accurate POSIX hierarchical filesystem structure vs. chaotic Windows that still mixes data and software;

-- much more numerous up-to-date versions in use, a much higher distro heterogeneity than with MS Windows;

-- lack of central secure repositories containing 99% of all used software in MS Windows; recent attempts with a Windows store are unraisable, yet semi, or rather one hundreds of a measure, since very few software is available there. Neither did MS invent the Android's apps' permissions system and its transparency to the user.

-- lack of a decent central packager paired with a repository utility (see the previous item), like dpkg+apt, familiar to you from Debian, that does security, integrity and dependency tests; installs updates most of the software in a near seamless fashion, literally by typing in a command, or by a few mouse-clicks

-- better and closer adherence to the main IT principles of modularity, KISS, software in the Linux/BSD camp of developers and sysadmins than in the proprietary camp including Microsoft folks; neither is F/OSS people changing their opinion on things IT like Microsoft has for the last decades demonstrated time and again.

-- lack of a competent IT culture and infrastructure around MS Windows: harder to troubleshoot and fix problems, than with GNU/Linux or *BSD. Most popular type of diagnosis and resolution with Windows are either:

It's a malware/viruses -- get yourself a good AV and disinfect your PC!

Could be anything.... -- reinstall your system!

--etc

Theses are some I got off the top of m head right now, there are a lot more, I am sure.

2
1
eulampios

@h4rm0ny

I said that GNU/Linux would be pretty much the same malware-wise if it had the same user-base as Windows. That's not a dig at GNU/Linux, that's a simple and supportable opinion.

That's your theory, a hypothesis. It might not be true though.

Is it that you're forgetting the fact that you have to type in your password more times with Debian updates than for only two apps (FF and IE) in Windows. 2 vs all? Would you also prefer have an important, security update available ASAP than once a month? Please answer these questions:

-- there are only two pieces of software that needs updates, and/or

-- all the rest software stays magically updated without you needing to type in any passwords?

-- you can get updates for the 99.999% of installed apps, just like in Debian ?

-- updates for 3-party software are taken care of by a central packaging Windows system that installs, verifies the authenticity and integrity, checks for dependencies, keeps records for, notifies about and performs the updates when available of every piece of software

--Microsoft after all those long 20 some years has finally built itself a repository/store where you can securely install and update all apps and dlls?

If this is not completely true you might need to reconsider your little "congruency" theory, I suppose.

1
1
eulampios
FAIL

hey, Derrek

Have ever met a single victim of the Android malwares that are so numerous (according to Kasperski and others)? I myself have not. How many Windows users do you know that had never experienced a Windows malware at least once in their life? Well. I can't recall any, if I have, than there should be a really tiny percentage.

2
0

Windows hits the skids, Mac OS X on the rise

eulampios
WTF?

Re: Paul Crawford @Matt "sorry, I dropped FreeBSD when ZFS was forced on us"

going from FreeBSD to MS Windows? Wow, what a turn?!

0
0
eulampios
Linux

@Matt: reasons to switch away from Windows

are aplenty for geeks and ordinary clueless users. Money is pretty much the last one, I suppose. I now experience them all when need to help a friend with his/her Windows problem. Such as

-- an annoying trojan/virus

-- slowed down system due to fragmented or "out of control" registry, or filled up disk (windows folder is known to grow with time), or some other unknown reasons

-- "irrational" problems (like this one) not resolved by MS, OEMs, nor the so called "windows geeks" -- all offering their own mutually perpendicular solutions/workarounds , none of which would finally resolve the issue. My last shock was that an ntfs filesystem can be wiped out completely without any warning on a healthy hdd after playing a game

My own reasons include:

-- a proprietary, effectively non-modular architecture, that is, you can't separate, substitute various pieces of the system, like the kernel from gui, utilities, shells etc; one is a mess you might run into when a kernel patch won't let you boot, unlike with a typical GNU/Linux distros with multiple kernel versions option.

-- less flexibility and configurability: would like to trim a system to my needs, build my own kernels, make my own persistent live media with ease

-- lack of decent, proper IT culture around MS Windows and plenty of mouse-clicking clueless Windows "geeks" that know nothing but "reinstall Windows" solution to every problem.

-- lack of a central repository full of most software with tested security mechanism (Win8 store was too late and still got very few) , like apt for Debian system; this should also be wise enough to take care of dependencies and able to prevent installing and running multiple copies of the same libraries

-- etc

I did like and run FreeBSD up to the version 8.1-RC. It was a nice learning experience that let me study an alternative Unix system. Stopped using it when the FreeBSD foundation had gone awry with their GPL intolerance and view of all support from the patent troll in Cupertino, CA

In your turn, I haven't heard any argument from you, rather than you want to use a "decent Office suite", that is MSO from your other comment. Why LO/OO isn't decent enough for you? Is it a ribbon UI or a pivot table that you can't live without, or is it something else. The fact that the code of MSO is not portable is one big minus in my mind.

As far as I am concerned, I rely much more on GNU Emacs , which is available on most OS'es, however, there are some oddities and less control when running it on Windows.

8
8
eulampios
Linux

@Matt, Re: eulampios IMHO...

I am sorry sir about you being unlucky with your Linux trials. In my own experience, most of the people that try Linux would switch to GNU/Linux either entirely or at least as a dual boot option, providing they do care about things IT.

11
12
eulampios

@JDX

No, the bias is in this generality that all OSes being counted were obtained the same way. No, they aren't, and we both know this well, don't we?

Probably 99.9% of manual Windows installs are done on machines which came with Windows in the first place.

Yes, let's count all the manual installs.

2
2
eulampios

IMHO, It would be fair

to compare the shares of each OS actually installed by users themselves removing the preinstalled, bundled, non-reimbursable ones. Or, at least explicitly putting them in different categories.

9
9

Microsoft closing in on Apache's web server crown

eulampios

both nobis.net and ubiquityhosting.com

domains don't seem to be switching yet they still run an outdated version of apache 2.2.15 on CentOS, if their http header doesn't lie.

0
0
eulampios

Re: Apples & Pears

this is right, however, the most popular non-static content is PHP. Nginx handles it perfectly via fast cgi. This is also true with Perl, Python, Ruby. AMOF, my toy Perl cgi scripts run very well indeed.

0
0

Backdoor snoops can access files on your Samsung phone via the cell network – claim

eulampios
Devil

@AC

No, amusement is all ours to see how naive you really are. Any_Proprietary_OS_ has all those delicacies out of the box, it is a big fat back door, by definition. The sad part here is that you might not be able to verify it in any way other than through some kind of back-engineering.

And on top of that, it might be either impossible or very hard to load an alternative, open OS on the device at all. So Win Phone and surfaces are to be ruled out right there.

2
0

It's 2014 and Microsoft Windows PCs can still be owned by a JPEG

eulampios

64 bit version rewrites

Another example that stands out is skype with the shitty design, apparently, since Microsoft or the former code owner seem to fail the main principle of IT of modular programming. The current MS skype offering has no 64-bit builds for Linux. You gotta install a whole bunch of dependent libs emulating i386 if you run a 64-bit version of the OS (multiarch in Debian terms). It's still a shitty little app as far as the sound is concerned. Compare it with linphone a sip client for Linux/BSD/Windows/Android working flawlessly on each platform.

0
0
eulampios

@Slawek and dogged

And why do you assume that all "members of community" have benevolent intentions?

Just the mere statistics. The Law of Big Numbers (quite an important topic in Statistics and Probability Theory) The fact that with an open code given enough popularity for the project, the chances are higher than in the case when it is proprietary.

@dogged

Why do you have to trust all developers? A few people might be enough to spot mistakes or malevolent intentions of those you don't trust. Once again, no code is available to examine, change and redistribute, you have to have a trust to one entity? How reliable is that?

Okay, who do we trust? Say, Adobe flash player, pdf reader? Yes, sure. No malevolent intentions are needed.

1
0

Microsoft to push out penultimate XP patch on March Patch Tuesday

eulampios

Re: Linux

Good, try also Linux Mint 16 Mate (based on Ubuntu). I use that one for this purpose.

3
2
eulampios
Linux

Re: Linux

the majority of people are perfectly happy to continue with the familiarity of Windows which they see as being free anyway because they bought this PC and it already has Windows.

That is the catch! That is why it is called "the MS Windows Tax". It appears to be free, though it is not. And btw, when I offer help with cleaning up, fix a slow, full of viruses PC, I offer a usb drive live Linux Mint persistent system with a few additional packages added to the base one. This would be either near impossible, expensive or plain hard with any version Windows. Cleaning and troubleshooting a Windows setup is more expensive than the original license. My setup is advertised as a viruses-immune, never aging, self-cleaning system. If this "ad" is true, and the system works and suits the needs, I install on the hard drive. No need to relearn and get used to the new operating system. At the very end, I do explain that it is not MS Windows, but a GNU/Linux distribution.

For the time being, I charge for the usb flash drive. Things are pretty automated now. When I get more people asking for the same, I might start charging them a pack of beers or a bottle of wine :)

3
2

GNU security library GnuTLS fails on cert checks: Patch now

eulampios

dubious advantage

more modern and secure, in design at least

theoretically speaking, there are advantages, though no one really knows how much of this theory is actually implemented. Once again, a proprietary product is pretty much a black box.

Hard to compare the performance here. As far as popularity, number of supported architectures, portability, flexibility (options to turn on and off), modularity and interconnectivity, modular independence with other software (say Linux, FreeBSD kernels are tested to work for many different OS envelops), NT loses big time.

PS is very fresh (2005) compared to the much wider and more thoroughly used and better documented POSIX/Unix shells. Think of portability again.

So, no AC, unfortunately, the proprietary counterparts a more clear to lose than win in this case.

2
0
eulampios

A suggested list

Evidence? Try taking similar proprietary product and the one with the source code freely available. Compare their performance, stability, popularity, security, scalability, versatility, flexibility, portability, availability, ease of use, ubiquity, adherence to the main principles of IT etc.

Say,

1) Linux kernel, Free,Open,NetBSD, Darwin vs. NT kernel

2) vim, GNU Emacs vs notepad ;) okay, you can take Visual Studio editor

3) a GNU Linux, a BSD distro vs. Microsoft Windows

4) gnu bash, zsh etc vs. power shell

5) Apache, nginx vs Microsoft IIS

etc

So what do we get here?

1
0
eulampios

Re: there is a gnupg though

Note that GCC C does not issue a diagnostic for the GnuTLS or Apple SSL/TLS bugs even with "all" warnings enabled.

And which one that could compile them both would? For as many architectures?

0
0
eulampios

there is a gnupg though

a very popular product, even the diehard jobsians, BSD-only, gpl haters cannot live without. There is also a gcc that is still the best compiler. Those allergic to gpl, gnu and FSF are creating their own clang compiler....

0
0

Linux-friendly Munich: Ja, we'll take open source collab cloud

eulampios

@the brave anonymous coward

Oh yeah, that would be because they get to drink from the teat of tax payer money...money never runs out and they are never held accountable.

Do you mean us, tax payers, that have to support Microsoft and their fat proprietary brethren with our own money for Schools, government institutions and pretty much everything that follows? No accountability indeed when this money is swallowed by the private giant leech from Redmond, WA.

12
1

Fiendish Internet Explorer 10 zero-day targets US soldiers

eulampios

@AC, look at other more consistent figures

This is great discrepancy with pretty much every other source Look at this numbers . According to it currently, IE holds about 20%, while Chrome more than 40%.

0
0
eulampios

Re: @AC

None of your links talk about successful exploitation of getting a root. The first of them does mention an escape from the sandbox on the browser (very old one, applicable only to devices prior to Android 2.2) AMOF, MS Windows had no mandatory app sandbox mechanism (at least until Windows 8). So, again nothing specific.

Sure - but Linux has historically had some of the highest vulnerability counts of any OS (approaching 1,000 known holes in the kernel alone)

So, what is counted? Without weighing severity of each bug, one cannot say just by looking at the number. Does it apply to ALL versions of Linux, all or most generic configurations, architectures or not? You see you apply the monolithic Microsoft measure to this. MS kernels or whatever they call kernel cannot be configured in many gazillions ways with various options (like built into or as separate etc module). There is many more architectures and so many more current and extant versions of Linux kernel out there than for any other OS. Heterogeneity of Linux distros and Linux kernels diminishes that number substantially.

0
0
eulampios

Re: @AC

IE has a 75% market share of PC users

According to various statistics IE's market share fluctuates around 25%. Not sure where did you get the 75% number. It's pretty unlikely, if the 25% estimate is correct since Firefox, chrome et al are also counted for PC users.

but there certainly have been previous exploits that have rooted Android via the browser,

Links please, or do you mean a browser/Android exploit together with the privilege escalation exploit of the Linux kernel can render that. That is theory, a possibility, yet it doesn't mean it had been ever demonstrated.

hat has sucessully attacked OS-X / Linux via the browser

So again, you're trying to make it sound like it had happened.

Potential, yet a very unlikely situation. Did you follow our own links and saw that this java trojan would write itself /etc/init.d? How well do you know Linux-based systems to run web browsers as root?

A java browser plug-in exploiting a patched java vulnerability?

I am not using java plug-in, even most people don't use it nowadays (FF turns it off by default). JS is more of headache due to a much heavier use, FF's user are still more safe with noscript...

0
0
eulampios
Linux

theory vs. practice, @ the 2nd AC

the theoretical ability to boot into another kernel version is great except when your last update makes changes which render all the previous versions of the kernel un-bootable,

Sorry about that AC, can't recall it happening to me, actually.

So for me it's both practical and theoretical advantage, while missing in the MS Windows.

In your case, what could that be GRUB is pretty hard to break,

-- unless you updated/changed a proprietary video driver, but it's still bootable into mesa or a console non-X.

-- or you/update messed up with your configs, updates rarely (never happened to me), in case you did it, it's not the fault of the OS. And, it's still fairly easy to fix it by booting into a recovery mode (one user env) or a live system.

I suggested that taking examples of random /different/ bugs an using them to illustrate better

I've done it for you, pwn2own wasn't random enough for you? My perception was that Google has been super-fast, while MS does it ... on Tuesdays every month. On the other note, Chrome has yet to be compromised in the wild, unlike a popular target IE.

Lunix is ace/MS sucks attitude which flows through your posts because it holds back the FOSS movement as a whole.

Sorry, no it doesn't depend on me it depends on MS. BTW, holding back the FOSS movement, or rather using predatory practices and dirty tactics is one big thing. Sucking in the IT sense is a very different one. Say, Apple got the first one and many people despise them equally ( while Oracle got... Larry to join this very good company). In my opinion, MS deserves every beating and derision it receives for the both. No, it's all up to MS to not suck, I am afraid.

0
0
eulampios

Re: @AC

... but that company X fixes a problem with their browser faster than company Y doesn't even scratch the surface of what each company did to make the fix.

Since IE is a fully proprietary software, don't even guess what they are trying to do. Even Google's Chrome get their patches surfaced in the free Chromium.

Dear AC, you said that MS is faster to fix security bugs on IE than Google is on Chrome. You didn't provide any links for this allegation. I mentioned a few cases where MS was very slow. So are getting any links or not?

It also doesn't mean that Google and Mozilla tested their fixes with the same amount of hardware/software combinations to make sure that they worked.

Neither does it mean the converse. Should I be reminding you that Mozilla's Firefox and Google's Chrome run on the much wider scope of hardware and operating systems?

In general, MS takes too long to fix bugs and still get into trouble, say, when a few Windows systems wouldn't boot after a kernel patch. No, it's not the problem of those who patch it, it's the fundamental problem of the OS underpinning going against the modularity principle. AMOF, a faulty kernel update on a GNU/Linux system could easily be circumvented by booting into the old kernel. Sorry to break your Redmondian bubble.

2
0
eulampios

@AC

How is that possible for MS to be faster with a scheduling it Tuesday every month? It would be interesting to see the analysis of the average time before fix. However, according to wikipedia, FF in 2006 was much faster in fixing than was IE , while having less security vulnerabilities than the latter. I also remember a few incidents on pwn2own, when both Mozilla and Google had patched their flaws almost immediately after the competition was over, while it took more than a month for MS to do a similar task.

As of the exploited vulnerabilities in the wild, Chrome was has yet to be mentioned, it's primarily MS IE that is exploited. On top of that, Firefox got the noscript plugin that makes overwhelming majority of exploits virtually useless.

It should also be emphasized, that the exploits both working exploits and exploits in the wild have been demonstrated on the MS Windows, not GNU/Linux, Android, FreeBSD etc. So, MS has to be born in mind and always mentioned as a responsible party.

2
1
eulampios

if it were for Mozilla or Google

that would have been fixed by now.

1
0

Tizen teasing continues as new members join but none pledge devices

eulampios

going after Google

go after any company that offers at tizen phone.

Did they go after Google for exactly this? No, they only have a Ballmer's chair-hurtling syndrome, thanks to the famous bald guy.

When they do go after a company, they make a big secret of how much is paid and where the money ends up eventually.

0
0

Google's SECRET contracts: Android lock-in REVEALED!

eulampios

Except that Android, the base Android is now crippled and crappy.

Meaning of this and/or any links by any chance.

Just trying to understand what do you mean by core functionality of Android OS? What is proprietary? Google doesn't make software proprietary besides a few of their own apps. The kernel got very important proprietary bits or blobs. Are accusing Google for not divulging the source of PowerVR, Mali, ARM code, other proprietary drivers? Should Google be responsible for this? Good job for a Microsoft (hence a anti-Google) evangelist, but you gotta check your facts too at times .

0
1
eulampios

Replicant or Blackberry OS and MADA

But that means they are locked out of Google's Play store and must source their own applications and find their own app store.

Where did you get this? You don't have to be a member of any org to be able to use apps from Google Play. You can either use a browser to download and install them, or an app. I am not sure about the actual Google Play app, it is also an app available on GP. Moreover, the fact that some Blackberry devices (and sailfish OS in future ) can use apps from GP as well. And what about the Replicant and Cyanogenmod?

0
0
eulampios

not completely correct

I do agree with you, though, would like to say that Google approval doesn't have to do with Google Play, formerly known as Android Market. This might be true about the Google Play as an app itself, where you search for an app, install it etc. However, I would doubt that too. There is no such limitation. Moreover, one can use GP on even a few Blackberry devices.

1
1

Nokia to launch low-cost Android phone this month – report

eulampios

any way to support it?

True WP has been always regarded as far less resource intensive than Android.

Any links with benchmarks or comparative analysis with similar hardware side by side?

AMOF, Microsoft corp. has been notorious in making a desktop OS (even with the allegedly better NT kernel) that is rich in cholesterol, doesn't last long, slows down with age therefore, unstable etc. Minimal system reqs are also quite impressive, no I am not talking about the great Vista, say, as of recent their WinRT was using humongous disk size is one example, compare to Android, iOS or even a desktop GNU/Linux.

1
0

Adobe goes out of band to fix frightful Flash flaw

eulampios
Linux

@ac: ignorance is a good weapon

grep -i CONFIG_X86_X32 /boot/config-$(uname -r)

# CONFIG_X86_X32 is not set

I specifically gave you the name of my distro that ship their Debian kernels as most of other ones happen to be immune to this. And, btw, Canonical shipped the fix right the same day it was announced. So, dear AC, you have to admit that it's not as straightforward as you suggested, given the heterogeneity of the Linux population (which is almost non-existent according you , or whichever AC was there above)

However, it was said by the original AC to be a piece of cake to get an exploit utilizing some Linux kernel vulnerability through this flashplayer one. In this regards, a working exploit (at least for some distros) should be provided/linked to, or a few similar ones that existed in the past.

0
0
eulampios

just make flash-plugin obsolete

A resource hog and vulnerability magnet should be avoided at any cost. For youtube pretty much any decent video can be used (10 times more efficiently) sometimes with help of youtube-dl, e.g.:

1) mplayer $(youtube-dl -g link-to-youtube-video)

2) vlc link-to-youtube-video

3) totem link-to-youtube-video

and so forth...

On some other sites it might be possible to find the video source by examining the html source. Then use flvstreamer or a player of your choice. In more intricate situations to resort to tcpdump (you still have to run flashplayer for a few seconds to "sniff" the source of the video).

0
0
eulampios

Re: Linux Support

No - it's just as simple to exploit Flash under Linux.

Is it easy to say, or easy to do?

Have you written it for this one already so we, Linux desktop users, aka ghosts, could all try? E.g., on this system LMDE, with the kernel being 3.12.9-custom+, x86_64 GNU/Linux .

Thanks in advance.

0
1

Multi-platform Java bot marshals ZOMBIE FORCE against spammers

eulampios

the only nice use of Java plugin is

Στοιχεῖα of Euclid. I mean this wonderful website http://aleph0.clarku.edu/~djoyce/java/elements/toc.html

I don't think that use of java plug-in even there is so important.

0
0
eulampios
Linux

Re: not a very plausible scenario

java applications frequently run as root

Just like _almost_every_ application can be run as root. For stupidity there is really no upper bound out there. You'd still have to manually and specifically launch it with su/sudo, or if already logged as uid=0. The most possible scenario (and perhaps, most vulnerable) when java is web browser plugin (I think FF now disables it by default). Then it would be run as a progeny and would inherit the uid of the parent process. So one has to be ... extra smart to do just that.

Those who run JVM specifically for other purposes are are likely to create a special user or group for it and change to that when needed, when launching it from the shell, to minimize the threat.

Another point is that on a GNU/Linux distro you get updates without much headache suffered by most Windows users, such, as:

* it is not done from the same interface (one update interface for ALL programs)

* no need to reboot a machine (most update would just need to restart an app)

* more resilient, if a kernel update is buggy and you cannot boot into the fresh kernel, things are modular, the older kernels are kept together with the new to be able to boot into

etc

3
0

Java, Android were THE wide-open barn doors of security in 2013 - report

eulampios
Linux

@AC, yes let's make it clear

Android - has most malware despite its godlike...

Let's make it clear that most Android malware exist in the minds of AV advertisers and "security researchers". The sheer volume of it they talk about is not very well correlated with the number of infected devices. It's probably hard to reliably estimate those numbers too.

I would personally judge from the number of complaining acquaintances. Yes, about 70-75% of them use both Android and Windows devices. About 90% of them at least once had suffered a Windows malware (a scareware, desktop hijackers, credentials sniffers, spam-ware etc). I also know it from helping them clean it up or by getting spam sometimes originated from Romania, Ukraine, China and other outlandish places. No one would ever had any unsolicited texting, dialing etc nor any other indication of trojaned Android app installed.

One reason perhaps is that they have been using Windows longer than they have Android, yet there's an undeniable design superiority Android has over Windows. It's separation and sand-boxing of apps and transparent permission system. Existence of Google Play might be another one (yet still inferior to secure repos/ports most distros use). A simple design that Android has, it's low footprint and the fact that it runs atop of Linux kernel that is widely and actively tested, developed -- all these things are also pretty hard to overestimate.

No, Linux is not "godlike". You can still make a shitty envelope around it. Given special talents, you can easily put a fly in any ointment. Android is not that case though. On the other hand, no one knows what kind of ointment an NT kernel is with its magic hybrid design and other delicacies.

BTW, as far as Android is concerned, there hasn't been a single proper Android system or Linux kernel vulnerability exploited in the wild .. yet. Just sayin'....

2
0
eulampios

poorly written malware... I mean scripts on Cisco's site?

Meanwhile, fully 99 per cent of all mobile malware discovered during the year targeted Android, as did 71 per cent of all web-based attacks on mobile devices.

So how did they discover it?

Can't download their report, even after "temporarily allowing all scripts" with NoScript on the linked page.

2
0
eulampios

@AC: not very plausible figures...

Actually there is LOADS of Android malware out there, and about 0.5% (1 in 200 devices) are currently infected:

AC, your zdnet link points to the article that mentions another "Alcatel-Lucent report" stating your figures. Well, if the memory doesn't fail me it's one of the first attempts to count the actual number of trojaned android systems. However, the mentioned methodology is not very convincing to say the least. No details are provided, yet according to their own paper:

To accurately detect that a user is infected, our signature set looks for network behavior that provides unequivocal evidence of infection coming from the user’s computer. This includes:

• Malware command and control (C&C) communications

• Backdoor connections

• Attempts to infect others (e.g. exploits)

• Excessive e-mail

• Denial of Service (DoS) and hacking activity

Although for Windows all of those methods might be eligible, for Android it could only be #1, thanks to the Android's separation between apps. Other usual revelation of a malware activity they talk about is texting or even placing calls, yet they cannot intercept it.

Okay, so, it's from their sample a .5% of Android devices they found to engage in some C&C communications? Can we do it globally and monitor it world-wide? Yes, why is it not detected world-wide that a .5% of a billion (or more), some 5 million devices are flooding the Internet? Moreover, no figures of those activities seem to exist outside of the Kingsight's vigilant sight, because those might indeed be negligible or non-existent.

here's another quote: The table below shows the top 20 Android malware detected in Q2 in the networks where the Kindsight Mobile Security solution is deployed...

Kingsight seems to be able to not only detect so many C&C communications, they can easily distinguish between the actual species of trojans... No details of this innovative approach is attached with the report though...

Is it a scientific finding? To me it rather looks like another AV scaremongering ad.

3
0

Slovenian jailed for creating code behind 12 MILLION strong 'Mariposa' botnet army

eulampios
Linux

@TheTallGuy

"And 99% of mobile malware is Linux/android based..."

99% of those are not viruses but trojans never having a chance to get installed on users' systems and so exist only for AV ads, "security researchers" and other gullible folks' amusement.

It might be because of the Android's apps transparent permissions system or Google Play or the fact that Android runs atop of (modified a bit) Linux kernel and never manages to be as fat and messy as MS Windows.

0
0
eulampios

@AC

If you're going to write a virus you target the biggest OS.

For this very purpose you might also make sure to choose the arguably most fattest and messiest OS available.

0
2

Forums

Biting the hand that feeds IT © 1998–2018