Re: warning to list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



"All he wants to know is that he's putting potentially buggy, late-night-coffee-build, eat-your-data-alive packages on his computer BUT that if he loses data it will be to a devel problem and not some cracker."

Mmm....I do this all the time with Windows software.

They still crack Windows with perfectly signed packages from Microsoft. I do not see signatures as such a big deal, therefore as they have not really impacted code security of Microsoft products. In FACT, I do not see how signing binaries helps really in dealing with secure code for end users.

I get perfectly crackable code, with authentic Microsoft PGP keys in every service pak update for Windows 2000 for example...and XP.

Signed by Microsoft and of course, Doesn't Mean Jack. The best a signed package can do is tell you where it is from. But, it doesn't make your code any less crackable or any more secure.

If you believe that, then your a fool. Code should be suspicious by default, and if you can't look at it, don't install it.

Works everytime for myself anyway. By looks I mean of course a procedure that allows you to look which usually is running said code first on a secured platform, watching what it does on the net while it is running and of course, doing a profile and looking at what code it spends the majority of its time executing.

Unfortunately, I am sorry to say, by end user I do not mean Mary in Accounting. I mean hired Systems and Network Admins.

In the US, the typical admin or network guy doesn't know jack about code. A sorry state of affairs that I am sure out sourcing will fix quickly in the next 3-4 years, thank goodness. Then we will have only the die hards left with initmate code knowledge in IT departments that can properly deploy software for end users like Mary in accounting.

I assume we will push Windows out to the edge along with other propritary binaries so that IT departments run on core open source code. Right now that is a dream....but it will be a reality very shortly after we conquor the desktop.

The only thing that I know of that can make a difference in code security is actually being able to look at it, understand it and fix it. If we take for a given, that software development is buggy with either closed or open source products then we have a basis for improving the situation by giving the source code and build tools away with the application so users can perform there own security checks if they wish, according to their own exhaulted standards.

That is the promise of Open Source Software. That is where the REAL security begins, with the SOURCE CODE.

Which is why closed proprietary binary software will NEVER be as secure as Open Source Software.

So I do not think signed keys are all that important given the history of signed packages transporting crackable code all over the place. If people would use practical deployment procedures, we wouldn't need signed packages for Linux in the first place.

Not something many would like to hear, but I think security in general has not improved in computing because we have all of these not required methods that make us THINK the code is safe (i.e. Oooo...the package is digitally signed so its OK....), but in reality do not address the primary issues of why executables are a risk....lack of source code.

IMHO.

-gc

Rodolfo J. Paiz wrote:

On Mon, 2004-10-25 at 14:46 -0400, Ricardo Veguilla wrote:
I can't believe you are making this argument.*You* "forced" yourself
when *you* decided to use an unsupported beta.

For the love of Pete, people, chill a little. You're arguing against
something that Mat� NEVER SAID, damn it.

All the guy said is that he's happy to use a test version, fully
understands his risks and has taken appropriate precautions, BUT feels
that not signing the Rawhide RPM packages exposes him to the small, but
greater than zero, risk of someone tampering with a package hosted on a
mirror somewhere. He seems to feel that this is a small but unnecessary
risk that could easily be avoided by simple additional security measures
which would improve the status quo and which have not been taken.

All he wants to know is that he's putting potentially buggy, late-night-
coffee-build, eat-your-data-alive packages on his computer BUT that if
he loses data it will be to a devel problem and not some cracker.

Beating the hell out of him for using test versions isn't doing *ANYONE*
any good... reread his post on what he does to keep his data safe, how
he runs his systems, and how long he's been running beta OS releases,
and he *clearly* is doing this will full knowledge and acceptance of the
risks involved.

Read the posts carefully. Argue intelligently and coherently. Or be
quiet. Not just Ricardo, either... there were a couple other "you're not
fit to run Rawhide" posts which were no more intelligent.

Sheesh.



[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Photo Sharing]     [Yosemite Forum]     [KDE Users]