Linked by Thom Holwerda on Mon 11th Jul 2011 21:29 UTC, submitted by sawboss
Multimedia, AV This is a problem I hadn't yet heard of, so it fascinates me to no end. We all know VLC, right? It's one of the best video players out there, and while I myself generally just install the K-Lite Codec Pack, VLC is definitely a good alternative - and pretty much the norm on Linux. They're having a problem, though: malicious folk are bundling VLC with malware, offering it up for download as the official VLC, and misleading users in the process. Not only does this violate the GPL - it's pretty damn low, too.
Order by: Score:
More widespread
by Moredhas on Mon 11th Jul 2011 21:42 UTC
Moredhas
Member since:
2008-04-10

This is a problem with a lot of free software, (both senses of the word free) media players and converters in particular. I've had to train myself and others to just ignore the yellow highlighted Google search results. Soon as you tell someone those people paid for their high search ranking, like buying an ad, they quickly learn to avoid those results.

Type in "free audio converter" into Google, and TRY and find a legitimate piece of software. They're in there, sure, but buried under piles and piles of the same shit repackaged maliciously.

Reply Score: 8

RE: More widespread
by Soulbender on Mon 11th Jul 2011 21:47 UTC in reply to "More widespread"
Soulbender Member since:
2005-08-18

Type in "free audio converter" into Google, and TRY and find a legitimate piece of software.


"Free Video Player" on the other hand has the official VLC as the top item.

Reply Score: 5

RE: More widespread
by lemur2 on Mon 11th Jul 2011 23:35 UTC in reply to "More widespread"
lemur2 Member since:
2007-02-17

This is a problem with a lot of free software, (both senses of the word free) media players and converters in particular. I've had to train myself and others to just ignore the yellow highlighted Google search results. Soon as you tell someone those people paid for their high search ranking, like buying an ad, they quickly learn to avoid those results. Type in "free audio converter" into Google, and TRY and find a legitimate piece of software. They're in there, sure, but buried under piles and piles of the same shit repackaged maliciously.


"This is a problem with a lot of free Windows software"

There, FTFY.

It is only a problem for binary blob packages distributed via the web (as opposed to software repositories with signed keys).

Typically, one does not use Google to search for software for a Linux distribution.

http://www.ubuntu.com/ubuntu/features/ubuntu-software-centre

If one searches for "VLC" in the Ubuntu Software Centre, one is guaranteed that the software offered for installation is a legitimate version of VLC.

Edited 2011-07-11 23:39 UTC

Reply Score: 10

RE[2]: More widespread
by lucas_maximus on Tue 12th Jul 2011 01:36 UTC in reply to "RE: More widespread"
lucas_maximus Member since:
2009-08-18

***groan***

Oh not this bullshit again.

Technically savvy Windows users also check the source of their downloads.

If these users where educated in the first place about getting their software from the correct place i.e. vlc's homepage ... this problem would't exist.

Coverting everyone to Linux isn't a silver bullet solution as regards to everything.

Oh and Lemur2 ... please read this.

https://nonlinux-manifesto.jottit.com/

Reply Score: 2

RE[3]: More widespread
by Liquidator on Tue 12th Jul 2011 05:01 UTC in reply to "RE[2]: More widespread"
Liquidator Member since:
2007-03-04

Yeah, people just have to think for a second and check where they're downloading their software from. If they're downloading it from www.vlc-millenium-4-you.ws, of course they should be wary... It's about common sense.

Reply Score: 3

RE[3]: More widespread
by adundovi on Tue 12th Jul 2011 06:55 UTC in reply to "RE[2]: More widespread"
adundovi Member since:
2009-02-13



I would like to add this to the end of manifesto:


p.s. We don't care about human freedom and morality - all these are just crap. If something works better for us, it doesn't matter if it hurts society or it's moraly wrong. We are so open minded that we are interest only in tehnical aspects of software.

Reply Score: 4

RE[3]: More widespread
by _QJ_ on Tue 12th Jul 2011 08:45 UTC in reply to "RE[2]: More widespread"
_QJ_ Member since:
2009-03-12

Ho and "lucas_maximus"... Please read this:
http://uptime.netcraft.com/up/graph?site=nonlinux-manifesto.jottit....

;-P

Reply Score: 3

RE[4]: More widespread
by lucas_maximus on Tue 12th Jul 2011 11:31 UTC in reply to "RE[3]: More widespread"
lucas_maximus Member since:
2009-08-18

So it is running Linux ... your point being?

I honestly don't care that that particular website is running Linux, the fact that it is running Linux is irrelevant since all I care about is that the application is working as expected.

The same service can be hosted on Windows, Solaris, FreeBSD ... it doesn't matter.

If Linux worked as a desktop for me and my need[s/i] I would certainly use it ... however it doesn't.

[i]Edited 2011-07-12 11:33 UTC

Reply Score: 5

RE[5]: More widespread
by gilboa on Tue 12th Jul 2011 17:04 UTC in reply to "RE[4]: More widespread"
gilboa Member since:
2005-07-06

... And we should care because? *

- Gilboa
* Point being: Lemur2 pointed out that the problem was -not- open / free source, but the broken software distribution model (or lack of) that's being to distribute 99% of all software under Windows - a problem that was solved years ago in Linux, *BSD and Solaris.
In response a useless link was posted (I don't like Linux! Baah! in your face!) and just as irrelevant why-I-don't-use-Linux story.

... It would have been far easier to conceded that the Windows ecosystem does indeed have an issue with software distribution and continue, no?

Reply Score: 4

RE[6]: More widespread
by Alfman on Tue 12th Jul 2011 18:57 UTC in reply to "RE[5]: More widespread"
Alfman Member since:
2011-01-28

gilboa,

"... It would have been far easier to conceded that the Windows ecosystem does indeed have an issue with software distribution and continue, no?"

Well, I agree with the point that repos solve the unauthenticated download issue.

However, a repository is only useful for times when the binaries/sources are available from the repository.

The moment we step outside the repository (source or not), a large chain of dependencies can start to break.

I've encountered countless times when I'm working with source code with numerous dependencies, which require external library dependencies which are not fulfilled by the repos.

Asterisk is a good example, openssl is another, dbus is another, etc. When I try to compile these projects using the latest source (newer than the repos) they break during the ./configure phase.

Configure spits out "XYZ is not satisfied".
The first thing I due is verified XYZ installed from repo (often heuristic guessing is needed to even find the package name corresponding to the automake script).

If the package is not there, there's sometimes no choice but to locate the source via web search. What I download may or may not be from an official site (how would I know?) and then compile that, which may rope in even more dependencies. At this point, I'm desperately trying to get the original source to compile, I just don't have the resources to check everything for malware.


What linux dev hasn't faced this problem? This is particularly problematic when working on bleeding edge source code.

Arguably, this may just be a matter of bad practices between developers and repositories. However I tend to think the problems stem from centralized repositories. What we need is decentralized repositories. The decentralized repo should continue to authenticate packages, possibly serve as a mirror, but unlike today, it should be possible for properly authenticated authors to provide direct upstream repo access such that devs can explicitly apt-get the latest upstream libraries.

This would allow proper authentication of authors, even though their code hasn't yet been (or will not be) accepted in the distro repo.


This would address all the times that I have no choice but to go outside of my linux distro's repo to get.

I guess there's functional overlap between this and version control systems, but I think we'd benefit from improved integration.

Reply Score: 2

RE[7]: More widespread
by gilboa on Wed 13th Jul 2011 04:20 UTC in reply to "RE[6]: More widespread"
gilboa Member since:
2005-07-06

I get your point, and I do agree that the repository system has it shortfalls (when certain software does not exist) - though this problem can be partially negated by selecting distribution (E.g. Debian / Fedora / etc) with wider selection of software.

As for the decentralized repo, to some effect this already exists (PPAs in Ubuntu, personal repository infrastructure in Fedora, etc) - though I do agree that this is still somewhat spartan.

... In the end, while not perfect, the idea of software repository (be that Linux style or *BSD style) solves the problem for >90% of all users and all use-cases. A similar tool, running under Windows would greatly reduce the software distribution problem under Windows - even if it doesn't solves the problem completely. (Read: The lack of system-based package and dependency management system).

- Gilboa

Edited 2011-07-13 04:21 UTC

Reply Score: 2

jabbotts Member since:
2007-09-06

That exists already for some distributions. Webmin and Mondo Rescue both provide Debian specific repositories. You get your Debian from the distro repositories and your Webmin/Mondo from the applicable developer managed repositories.

It does indeed work well provided the third party repo maintainer manages it well.

Reply Score: 2

RE[6]: More widespread
by lucas_maximus on Wed 13th Jul 2011 21:06 UTC in reply to "RE[5]: More widespread"
lucas_maximus Member since:
2009-08-18


* Point being: Lemur2 pointed out that the problem was -not- open / free source, but the broken software distribution model (or lack of) that's being to distribute 99% of all software under Windows - a problem that was solved years ago in Linux, *BSD and Solaris.


No it hasn't been solved by them.

It is not a solved issue considering every distro does it differently as well, with varying results ... Arch for example have f--k load of dependancies that are often not needed ... why??

Things like delta RPMS are a step in the right direction ... but the last time I typed Yum upgrade in my Fedora 15 box there was 200mbs of upgrades about a week after install and I grabbed it as soon as the ISO came out.

Also there is no clear seperation what is OS updates and what is Application updates. BSD does this perfectly I give you that and OpenBSD pkg tools are the best I have used ... but downloading .exes with a bit of common sense seems to work quite well also.

Again swings and roundabouts ... it is not black and white ... which is the issue I have with the statements.

In response a useless link was posted (I don't like Linux! Baah! in your face!) and just as irrelevant why-I-don't-use-Linux story.


It wasn't a story ... it was a manifesto and wasn't written by me ... I wish I had wrote it since it put many of my feelings into concise statements.

The point was I have chosen Windows and millions of users don't have any problems with it. Some have chosen using macs .. because they like using them.

It is really people like Lemur2 go on and on about problems that really don't exist unless you are fringe edge cases ... These comments had some value in the pre Windows XP SP2 days ... but not now which is 7 years later (an eternity) in the tech world, much of these issues don't exist.

I was trying to get through to him/her that you don't have to promote your OS of choice all the time ... if it really is that good ... it will promote itself and I will use it because it is the better option ... not because of some dubious made up reason taken straight from FSF.org.

I say I like Windows 7 but I don't try converting everyone to Windows 7 ... because I don't have to the sales speak for themselves .. and the OEM argument is invalidated by the Beta download numbers which were massive also.

... It would have been far easier to conceded that the Windows ecosystem does indeed have an issue with software distribution and continue, no?


There is nothing broken about Windows Software distribution. You download an executable from it's website and you have zero problems ... funnily enough if you go to warez.com and dodgy websites you will have the same problem ....

Ironically this was the exact same argument that Lemur2 was using against downloading binaries ... except he was insisting the codez is open ... because that magically fixes all bugs and exposes badness.

yes people can do shitty things ... with closed source software ...

I gotta deal with it first hand everyday with 3rd bespoke CMS software ...

but some open source software is f--king shitty too (Rainbow CMS, check it out I gotta support that shit until 2011 with no docs)

Ultimately it is swings and roundabouts and pretending any different is ridiculous.

I use whatever works for me ... I use OpenBSD on a soekris box, Linux on a PHP/Ruby/Python dev box, iBook for a laptop (6 hours battery life ) and a Windows 7 PC for .NET development ... I am only pragmatic ... and I do not care for dogmatism unless a company is doing something exceptionally shitty.

So forgive me for disagreeing when someone is being a free software zealot ... because I honestly don't care about your ideals ... and most of the world doesn't either.

Edited 2011-07-13 21:06 UTC

Reply Score: 2

RE[7]: More widespread
by lemur2 on Wed 13th Jul 2011 23:56 UTC in reply to "RE[6]: More widespread"
lemur2 Member since:
2007-02-17

" * Point being: Lemur2 pointed out that the problem was -not- open / free source, but the broken software distribution model (or lack of) that's being to distribute 99% of all software under Windows - a problem that was solved years ago in Linux, *BSD and Solaris.
No it hasn't been solved by them. It is not a solved issue considering every distro does it differently as well, with varying results "

Yes, it has been solved. The fact that different distributions use different methods means only that it has been solved in a number of different ways.

There are only two essential steps required to prevent malware being distributed via trojan horses:
(1) Have a wide collaboration (meritocracy) of independent developers developing the project with source code in the open (everyone able to inspect it), and
(2) Have a distribution system which ensures that the binary which is the result of compiling THAT source code is the binary that is distributed to all recipients.

In the case of the VLC project (the topic of this thread) requirement (1) is available for all platforms, since VLC is a cross-platform application.

Requirement (2) is only in place for the Linux platform. Distribution of VLC to recipients running Windows is demonstrably an abysmal failure, and this is clearly not the fault of VLC itself. The culprit is the system of distributing and installing Windows applications expected to be followed by Windows users.

Edited 2011-07-13 23:58 UTC

Reply Score: 2

RE[7]: More widespread
by lemur2 on Thu 14th Jul 2011 00:23 UTC in reply to "RE[6]: More widespread"
lemur2 Member since:
2007-02-17

It is really people like Lemur2 go on and on about problems that really don't exist unless you are fringe edge cases ... These comments had some value in the pre Windows XP SP2 days ... but not now which is 7 years later (an eternity) in the tech world, much of these issues don't exist.


These issues certainly do exist for Windows 7. If a user downloads a trojan horse installer, which they have no real reason at all to trust, yet they still run it and give permission at UAC prompts, then the malware payload will often install just fine. Anti-malware software cannot possibly keep up with 2 million new pieces of Windows malware code per year.

I was trying to get through to him/her that you don't have to promote your OS of choice all the time ... if it really is that good ... it will promote itself and I will use it because it is the better option ... not because of some dubious made up reason taken straight from FSF.org.


You are told of better options and you just deny that they exist!

Ordinary users not wanting malware on their systems; and the observation that the Windows paradigm of downloading un-verifiable stuff from god-knows-where and then clicking Allow, Next, Next, Next is well entrenched ... both have nothing at all to do with FSF.org.

Edited 2011-07-14 00:32 UTC

Reply Score: 2

RE[6]: More widespread
by lucas_maximus on Wed 13th Jul 2011 21:09 UTC in reply to "RE[5]: More widespread"
lucas_maximus Member since:
2009-08-18

... And we should care because? *


I wasn't replying to him then ... I was replying to the fact that I linked something that happened to be hosted on Linux ... it doesn't invalidate my response.

This shit is ridiculous.

Reply Score: 2

RE[3]: More widespread
by Gone fishing on Wed 13th Jul 2011 16:40 UTC in reply to "RE[2]: More widespread"
Gone fishing Member since:
2006-02-22

Technically savvy Windows users also check the source of their downloads.


Of course there are two problems here

1) Not all Windows users are tech savvy (most aren’t) and why should you need to be a expert in Computer security to use your PC?

2) Drivers - on an older PC with Windows you usually end up finding that the manufacture doesn’t have the driver on it's site any more - almost all the Free Drivers sites are just there to install scumware and the only site you can find the driver is located in Romania and as tech savvy as you might be it’s a case of having faith in your AV – Not surprising many mom and dad Windows users don’t stand a chance.

Reply Score: 2

RE[4]: More widespread
by lucas_maximus on Wed 13th Jul 2011 21:25 UTC in reply to "RE[3]: More widespread"
lucas_maximus Member since:
2009-08-18

Of course there are two problems here

1) Not all Windows users are tech savvy (most aren’t) and why should you need to be a expert in Computer security to use your PC?


I know that they aren't. However seriously explaining to 4 things works wonders

1) Keep Windows Updated.
2) Keep AV updated.
3) Explain basic things like password security, the padlock and what it means etc.
4) Using Common Sense ... if you are unsure you can always decline.

I am the most tehcnically savvy in my family and this works for them and their PCs are Virus Free and they run Windows ... Anedotal I know ... but I absolutely believe user education is better than pretending that Linux is the cure for all computer problems.

But there is always going to be debate about this ... tbh as Macs are easier to look after by "normals" I would suggest those, however I am not impressed with their recent track record of responding to security problems and in some cases it seesm actively denying them.

2) Drivers - on an older PC with Windows you usually end up finding that the manufacture doesn’t have the driver on it's site any more - almost all the Free Drivers sites are just there to install scumware and the only site you can find the driver is located in Romania and as tech savvy as you might be it’s a case of having faith in your AV – Not surprising many mom and dad Windows users don’t stand a chance.


That is a fair point tbh. I have had this problem myself.

Although Vista and 7 are very good at finding and installing drivers.

Reply Score: 2

Malware and its Lack of Universality
by frajo on Tue 12th Jul 2011 07:27 UTC in reply to "RE: More widespread"
frajo Member since:
2007-06-29

"This is a problem with a lot of free Windows software"

There, FTFY.

It is only a problem for binary blob packages distributed via the web (as opposed to software repositories with signed keys).

Typically, one does not use Google to search for software for a Linux distribution.

Exactly.
Neither do we in the eComStation community search for our sw via Google.
Yes, we also use VLC. Personally, I prefer VLC to firefox for watching YouTube clips.
We can trust our sources - that's one of the advantages of living in a small village - and, of course, no existing malware would be successful on OS/2.

Now, dear Windows proponents, it's your turn again. "BS", anyone?

Reply Score: 2

RE[2]: More widespread
by vodoomoth on Tue 12th Jul 2011 07:37 UTC in reply to "RE: More widespread"
vodoomoth Member since:
2010-03-30

Don't Linux users also stray from official repositories?

Reply Score: 2

RE[3]: More widespread
by Spiron on Tue 12th Jul 2011 09:29 UTC in reply to "RE[2]: More widespread"
Spiron Member since:
2011-03-08

Not usually, though if you look at Ubuntu you might think it sometimes. Even then that is mostly just addin another PPA repository to your list. The only time i have ever needed to look outside my repository was when i was looking on Gnomelook for some themes, other than that i really don't know of anyone that gets stable software from anywhere but the distro's repository

Edited 2011-07-12 09:30 UTC

Reply Score: 2

RE[3]: More widespread
by lemur2 on Tue 12th Jul 2011 09:45 UTC in reply to "RE[2]: More widespread"
lemur2 Member since:
2007-02-17

Don't Linux users also stray from official repositories?


For certain software the best choice on Linux is closed source. Here is one example:

http://www.bricsys.com/en_INTL/

For users, this carries exactly the same risk for the Windows version as it does for the Linux version. It is highly, highly unlikely to carry malware.

However, it is a risk. A small risk, but a risk nevertheless.

With Linux, it is very possible to keep this risk to an absolute minimum.

Both Windows users and Linux users can benefit from downloads (even outside of repositories) as long as one downloads from the same site as the source code is available from.

http://www.videolan.org/vlc/

http://www.mozilla.com/en-US/firefox/fx/

Edited 2011-07-12 09:55 UTC

Reply Score: 3

jabbotts Member since:
2007-09-06

Different distributions target different users. If your straying from the distro repositories, chances are good that there is a better distribution for your needs.

In my personal case I find only two programs outside of Debian's official repositories; Webmin for remote admin by browser and Mondo Rescue for drive imaging, both provide third party Debian repositories.

I also go outside of the distro repositories for various security related programs. They are not programs the average user is going to look for but they are one case where having the bleeding edge latest can make a difference. Metasploit by svn download would be an example.

With Backtrack, I've never had reason to go outside the distro repositories. It's a pretty specialized distribution though too so if one is going outside the repos, they should probably re-consider why they are using Backtrack.

Part of how distributions compete is available selection in the repositories. If one distro doesn't have all or the majority of software you are looking for, find out if another distro does. Your user data is not tided to any one distribution branding so switching to a new distro is pretty easy.

(ah.. good 28th update down from Windows Update.. now to visit the several third party update utilities.)

Reply Score: 2

Comment by Soulbender
by Soulbender on Mon 11th Jul 2011 21:45 UTC
Soulbender
Member since:
2005-08-18

Not only does this violate the GPL - it's pretty damn low, too.


Uhm, they're assholes distributing malware. Anything they do is going to be low by default. Heck, the lower the better is probably a sound strategy for this kind of stuff.

Reply Score: 5

Google
by WorknMan on Mon 11th Jul 2011 21:55 UTC
WorknMan
Member since:
2005-11-13

Wonder if there's anything Google can/should legitimately do about these kinds of things. The minute they start removing sites that are distributing malware from search results, I'm sure Big Content will want them to also remove torrent sites and the like. Maybe it's better that they stay neutral.

Reply Score: 7

RE: Google
by JAlexoid on Mon 11th Jul 2011 23:42 UTC in reply to "Google"
JAlexoid Member since:
2009-05-19

At least they could stop selling them advertising services.

Reply Score: 2

RE: Google
by vodoomoth on Tue 12th Jul 2011 07:38 UTC in reply to "Google"
vodoomoth Member since:
2010-03-30

The minute they start removing sites that are distributing malware from search results, I'm sure Big Content will want them to also remove torrent sites and the like.

Already happened back in January: http://www.osnews.com/story/24334/Google_Censors_BitTorrent_RapidSh...

Reply Score: 2

Does it violates GPL?
by martini on Mon 11th Jul 2011 22:07 UTC
martini
Member since:
2006-01-23

thanks the heads up, very interesting news.

I agreed with you that this is low. But how does it violates the GPL license? are this scammers modifying VLC source code to included malware and not released the source code under the same license?

Or the malware is on the installer as an include binary for Windows?

Or it is because this scammers are violating the VLC name trademark?

Edited 2011-07-11 22:19 UTC

Reply Score: 2

RE: Does it violates GPL?
by JAlexoid on Mon 11th Jul 2011 23:42 UTC in reply to "Does it violates GPL?"
JAlexoid Member since:
2009-05-19

They have to notify the person that downloads that the software is under GPL and they can get the code at videolan.org if they wish to.

Reply Score: 3

jabbotts Member since:
2007-09-06

Since they are modifying the source to include additional functions (read;malware), they have to make the modified source code available for download rather than simply directing users back to videolan's unmodified source.

My understanding is that the license would allow them to modify and destribute malicious versions of the software if they included the source for the malicious version. The malicious source would get publicised and these folks would be blackballed in the FOSS community. Hopefully loudly enough to also be blackballed among average users.

Granted, they are distributing malware so respect for licensing terms is unlikely.

Reply Score: 3

v Good - DO NOT BE EVIL
by Sabon on Mon 11th Jul 2011 23:13 UTC
RE: Good - DO NOT BE EVIL
by Kivada on Tue 12th Jul 2011 04:57 UTC in reply to "Good - DO NOT BE EVIL"
Kivada Member since:
2010-07-07

So the stopbadware.org warning pages when accessing these pages doesn't count for anything?

Delisting them outright gets them in a massive quagmire with MAFIAA whack-a-mole with warez sites and more dicking around with despots ilke the chinese.

Maybe we just need an OSS repo for windows? Dn't the the ReactOS guys have something in the works already?

Reply Score: 2

tomcat
Member since:
2006-01-06

Because then it would be okay: They'd be doing their part to comply with the GPL and give back to the community. LOL.

Edited 2011-07-12 00:11 UTC

Reply Score: 3

lemur2 Member since:
2007-02-17

Because then it would be okay: They'd be doing their part to comply with the GPL and give back to the community. LOL.


Somewhat paradoxically, this is exactly the reason why source code availability guarantees absence of malware.

If anyone can look at the source code, and compile it for themselves to check that the distributed version matches that source code, then the distributed version won't contain malware. It would take only one person to spot any malware and blow the whistle, it isn't as though everyone has to look at the source code. As long as it is available, and can be inspected and vetted by anyone who wants to ... guaranteed no malware.

Mind you, you have to be able to get the binary version and the source code from the same place. If you can't do that ... all bets are off. If you can do that ... this is the ONLY reliable known way to be assured that software that you download is malware free.

Reply Score: 2

lucas_maximus Member since:
2009-08-18

If anyone can look at the source code, and compile it for themselves to check that the distributed version matches that source code, then the distributed version won't contain malware. It would take only one person to spot any malware and blow the whistle, it isn't as though everyone has to look at the source code. As long as it is available, and can be inspected and vetted by anyone who wants to ... guaranteed no malware.


Except that in this case it didn't help at all.

Anyone can get the VLC source and compile however, the problem was that users were getting the .exe and just installing it and not caring where it came from which is a problem with users not being aware of the threats.

Also people don't spot problems for years in source code ...

http://www.theinquirer.net/inquirer/news/1033925/openssl-bug-debian...

I await your circular argument.

Reply Score: 2

lemur2 Member since:
2007-02-17

"If anyone can look at the source code, and compile it for themselves to check that the distributed version matches that source code, then the distributed version won't contain malware. It would take only one person to spot any malware and blow the whistle, it isn't as though everyone has to look at the source code. As long as it is available, and can be inspected and vetted by anyone who wants to ... guaranteed no malware.
Except that in this case it didn't help at all. Anyone can get the VLC source and compile however, the problem was that users were getting the .exe and just installing it and not caring where it came from which is a problem with users not being aware of the threats. Also people don't spot problems for years in source code ... http://www.theinquirer.net/inquirer/news/1033925/openssl-bug-debian... I await your circular argument. "

Bugs are not malware, they are bugs.

Der.

Only Windows users are rountinely in the habit of installing un-vettable .exe binary blobs from god-knows-where and thereby infecting their own systems with malware.

This is a problem unique to Windows ... open source or not, Windows binary blobs are routinely downloaded from god-knows-where, without source code being available, and installed on users systems by the users themselves.

Classic trojan horse scenario. The very same people who wrote this ( https://nonlinux-manifesto.jottit.com/ ) probably wonder why the Trojans were stupid enough to let the wooden horse, made by their enemies, inside the gates of Troy, without first checking what was inside it.

Der.

Edited 2011-07-12 02:45 UTC

Reply Score: 2

lucas_maximus Member since:
2009-08-18

Bugs are not malware, they are bugs.


I just invalidated the "you can spot stuff in the source" argument you brought up since it was left there for years ... so if this error can be left for years, why can't malicious code be left undetected for years ... but I am just repeating myself.

Der.


No Der to you for missing the point.

Only Windows users are rountinely in the habit of installing un-vettable .exe binary blobs from god-knows-where and thereby infecting their own systems with malware.


Except if you want 3d acceleration in Linux you also need to install Binary Blobs, If you want to install Skype on Linux you need to install binary blobs, If you want to use professional 3d apps you need to install binary blobs on Windows.

This is a problem unique to Windows ... open source or not, Windows binary blobs are routinely downloaded from god-knows-where, without source code being available, and installed on users systems by the users themselves.


Most users download them from the application distributor or places like CNET and softpedia which ensure that there is no-malware in the downloads ...

Classic trojan horse scenario. The very same people who wrote this ( https://nonlinux-manifesto.jottit.com/ ) probably wonder why the Trojans were stupid enough to let the wooden horse, made by their enemies, inside the gates of Troy, without first checking what was inside it.

Der.


** shakes head ** ... seriously ... one was a military siege and the other is my computer ... having a bit of dodgy code on your machine does not mean that a group of warriors will comes out and slay me in my sleep ... FFS ...

The whole point is that some of us are perfectly good enough at looking after our kit and don't want twats like you jumping in saying "but you should use Linux because the codez are free" ... Guess what I haven't had a virus on any of my Windows Machines ... ever ... because I do sensible things.

Way to go to miss the point again. Evangelise somewhere else. You bore us.

Edited 2011-07-12 11:45 UTC

Reply Score: 2

lemur2 Member since:
2007-02-17

Except if you want 3d acceleration in Linux you also need to install Binary Blobs,


http://www.x.org/wiki/RadeonFeature

3D acceleration works for open source drivers for my video card (ATI).

http://www.phoronix.com/scan.php?page=news_item&px=OTY1NQ

OpenGL 2 is supported, OpenGL 3 should be available by the end of this year.

http://www.phoronix.com/scan.php?page=news_item&px=OTY1OQ

VDPAU video acceleration API has just been merged to master.

If you want to install Skype on Linux you need to install binary blobs,


One solution: http://www.mhspot.com/sts/siptosis.html

If you want to use professional 3d apps you need to install binary blobs on Windows.


One solution: http://www.blender.org/

Reply Score: 3

lucas_maximus Member since:
2009-08-18

3D acceleration works for open source drivers for my video card (ATI).


ATI and OpenGL have always had poor performance ... even with the fglrx driver ... Nvidia and Nvidia driver has always been superior ... so it works doesn't mean it works well.

http://www.phoronix.com/scan.php?page=news_item&px=OTY1NQ

OpenGL 2 is supported, OpenGL 3 should be available by the end of this year.


The next version is always coming "soon" with Open Source ... I got fed up of hearing it a long time ago ... I only care about what currently works.

http://www.phoronix.com/scan.php?page=news_item&px=OTY1OQ

VDPAU video acceleration API has just been merged to master.


Intel and ATI have no plans to support it on Linux, so will it only work with Nvidia driver and the S3 driver?



Why do you google for "GNU version <insert popular software" and think that is anyway a solution.

Nobody I know uses that Skype alternative so it is no good for me. I suspect if you asked a lot of people they would probably agree as well.

Also blender is only any good at doing key frame animation ... and I would be interested to see how blender measures up to tool like Maya ... is big FX company using Blender? According to their website not.

Suggesting sub standard alternatives is not an argument.

Reply Score: 2

lemur2 Member since:
2007-02-17

" 3D acceleration works for open source drivers for my video card (ATI).
ATI and OpenGL have always had poor performance ... even with the fglrx driver ... Nvidia and Nvidia driver has always been superior ... so it works doesn't mean it works well. "

You said that a binary blob driver was required. I showed you that it wasn't. The open source ATI drivers are still in the "get it working everywhere" phase, so tuning for performance has yet to be done. Even so, these drivers run KDE's kwin composited desktop at 60Hz, which is frame-locked to the monitor refresh rate. For use on a desktop OS, what more performance is required?

For use with roles like blender, the open source driver has already reached about 40% of the performance of fglrx, and as I said, tuning has yet to be done, so expect performance to increase as the driver matures.

"http://www.phoronix.com/scan.php?page=news_item&px=OTY1NQ OpenGL 2 is supported, OpenGL 3 should be available by the end of this year.
The next version is always coming "soon" with Open Source ... I got fed up of hearing it a long time ago ... I only care about what currently works. "

What currently works, as I said, is OpenGL 2. Do you have a reading comprehension problem or something?

"http://www.phoronix.com/scan.php?page=news_item&px=OTY1OQ VDPAU video acceleration API has just been merged to master.
Intel and ATI have no plans to support it on Linux, so will it only work with Nvidia driver and the S3 driver? "

And now the open source ATI-GPU Gallium3D driver, written by Xorg. It should also work with Intel's open source Gallium3D driver, given a bit of extra work from Intel.

Why do you google for "GNU version "

Because that is what you said did not exist. It does exist, and despite your attempt at disparagement, blender is very good software. I didn't have to Google it, blender is already famous.

Edited 2011-07-13 23:35 UTC

Reply Score: 2

lemur2 Member since:
2007-02-17

Except that in this case it didn't help at all. Anyone can get the VLC source and compile however, the problem was that users were getting the .exe and just installing it and not caring where it came from which is a problem with users not being aware of the threats.


Say what?

In this case, the source code was not available, and the trojan horse binary blob malware executable was disguised as VLC.

What on earth has that got to do with actual bona-fide open source practice, other than the fact that the VLC project saved the malware authors the trouble of writing their own multimedia application as the bait?

Edited 2011-07-12 02:58 UTC

Reply Score: 2

Alfman Member since:
2011-01-28

lucas_maximus,

"I await your circular argument."

Haha, been there. Once you've proven that he's full of it and he's got nothing left, he accuses you of being a troll! Ironic isn't it?

http://www.osnews.com/thread?480289

Reply Score: 0

lemur2 Member since:
2007-02-17

lucas_maximus, "I await your circular argument." Haha, been there. Once you've proven that he's full of it and he's got nothing left, he accuses you of being a troll! Ironic isn't it? http://www.osnews.com/thread?480289


I'll just wait for an actual point from you rather than simple-minded ad hominems.

Reply Score: 3

Alfman Member since:
2011-01-28

lemur2,
"I'll just wait for an actual point from you rather than simple-minded ad hominems."

Fair enough, however don't be a hypocrite. Will you agree to cease posting hostile comments? That includes unfairly calling other people trolls and blaming other people's motives when they provide evidence which disagrees with a claim? Can we both agree that there is merit in other's points of views, and that we must try to understand them before coming to judgment, at which point we can agree to disagree instead of resorting to attacks?

Edited 2011-07-12 04:06 UTC

Reply Score: 2

lemur2 Member since:
2007-02-17

lemur2, "I'll just wait for an actual point from you rather than simple-minded ad hominems." Fair enough, however don't be a hypocrite. Will you agree to cease posting hostile comments? That includes unfairly calling other people trolls and blaming other people's motives when they provide evidence which disagrees with a claim? Can we both agree that there is merit in other's points of views, and that we must try to understand them before coming to judgment, at which point we can agree to disagree instead of resorting to attacks?


Have a look at recent trends on this site. I think you might find, looked at objectively, that I am the one who is consistently attacked, even though I am the one who actually posts the backed-up facts.

In few threads I actually got accused of posting too many links backing up what I said!

Every now and then I get snitchy, especially against a poster who is posting stupid things (always without backup that makes any sense).

A couple of posters have tried to jump on to this topic with an apparent agenda to try to paint open source software (such as VLC in this case) as unreliable, low quality, and a source of malware. Not to be trusted. The very title of this sub-thread is an example.

In actual fact, the precise opposite is the case. Malware needs to be a payload hidden inside a binary executable (without the corresponding source code being available) in order to achieve a successful trojan horse "infection vector" strategy.

This is a fairly self-evident point that some interests do not want generally known. It is also a point that, in the best interests of end users, should be shouted from the rooftops as often as possible.

So, when someone does start pointing out this truth, a lot of people are keen to jump on anyone pointing it out. Having no actual valid counter-argument, ad hominem attacks are frequently used ... right out of the box in many cases, without even trying to discuss the point.

This is where I thought you were going. Certainly other posters on this thread have already tried to go there.

If that was not your actual intent, then I am perfectly willing to actually discuss the issues if you are (without ad hominem attacks, if you don't mind).

PS: Just so you know, the first personal attack in this topic was this: "***groan*** Oh not this bullshit again.". The second personal attack was this: "I await your circular argument."

Neither comment was mine.

Edited 2011-07-12 04:39 UTC

Reply Score: 3

Alfman Member since:
2011-01-28

Well those (on topic) points are not my concern right now. At some point we will bump up into something which one of us disagrees with and unless we've done something to curb overly aggressive behavior we're back to where we started. I want to know if we can commit to a more civil discourse, and not blow things up out of proportion?

Edited 2011-07-12 04:59 UTC

Reply Score: 2

lucas_maximus Member since:
2009-08-18

You do this ad nauseum ...

You - "If they inspected the codez they could see the problem"

Me - "But you have to be savvy enough to do that"

You - "but Linux magically does this"

Me - "But you have to be technically savvy enough to choose Linux"

and continues something like that while ignoring that the fact that only technically savvy people know to look for this in the first place.

Reply Score: 2

gilboa Member since:
2005-07-06

(Even though I believe the Linux vs. Windows sub-thread is completely OT, I'll chime in)
... I guess that at this point, I should point out that in my experience, you should be technically savvy to install and maintain ***Windows*** just as well, and I've got a looooooooo<duplicate x 1000>oooong list of family/friends/co-workers/heck, neighbor's Windows machine that I have serviced in the last God-knows-how-many-years to back this claim. (Hence the reason I'm sick'n'tired of Windows as an eco-system, even though I write cross-platform Windows/Linux software for a living).

- Gilboa

Reply Score: 2

lucas_maximus Member since:
2009-08-18

That is more of a problem with Desktop Operating systems in General. Even Macs need a certain amount of looking after as the cruft builds up.

Reply Score: 2

lemur2 Member since:
2007-02-17

You do this ad nauseum ... You - "If they inspected the codez they could see the problem" Me - "But you have to be savvy enough to do that" You - "but Linux magically does this" Me - "But you have to be technically savvy enough to choose Linux" and continues something like that while ignoring that the fact that only technically savvy people know to look for this in the first place.


Strawman.

Savvy users and non-savvy users get the same packages. Only one person, who did not write the source code, has to be savvy enough to compile the source code package and compare it to the binary package. That one person can vet the source code for all users (savvy or not), because ... all users get the same packages.

Reply Score: 2

lucas_maximus Member since:
2009-08-18

Strawman bollox ...

The fact of the matter is that reading source code is hard ... and spotting bugs and malicious code is hard ... being able to see the "codez" does magically rectify this.

Lots of Money and various books have been written about Software Quality and Testing ... from the original "The Art of Software Testing" to todays TDD and BDD test patterns ...

So don't pretend you can just "spot the bugs" because even the creators of software who wrote the code often can't see the problems ... it is total bollox.

Stop defending you ideologies which simply don't stand up to any critical evaluation.

Reply Score: 2

WorknMan Member since:
2005-11-13

Mind you, you have to be able to get the binary version and the source code from the same place. If you can't do that ... all bets are off. If you can do that ... this is the ONLY reliable known way to be assured that software that you download is malware free.


Well, not necessarily. If the code for the malware itself has been embedded in the source code by the original author of the program, then you're not guaranteed shit, except maybe a human looked through the source code at one time.

Sure, all it takes is one person to find the malware, but what if the app itself has been installed on 100,000 computers before anybody discovers it? Do distro repository admins have the ability to remote wipe apps off computers like Google does with Android?

I will grant you that having people looking through the source code is probably the best way to avoid distributing apps with malware, but unless they scan every line of code in the app, you still don't have any guarantees.

Edited 2011-07-12 05:08 UTC

Reply Score: 3

lemur2 Member since:
2007-02-17

"Mind you, you have to be able to get the binary version and the source code from the same place. If you can't do that ... all bets are off. If you can do that ... this is the ONLY reliable known way to be assured that software that you download is malware free.
Well, not necessarily. If the code for the malware itself has been embedded in the source code by the original author of the program, then you're not guaranteed shit, except maybe a human looked through the source code at one time. Sure, all it takes is one person to find the malware, but what if the app itself has been installed on 100,000 computers before anybody discovers it? Do distro repository admins have the ability to remote wipe apps off computers like Google does with Android? I will grant you that having people looking through the source code is probably the best way to avoid distributing apps with malware, but unless they scan every line of code in the app, you still don't have any guarantees. "

The whole point of making your project open source is to get other developers involved. Together, in collaboration, using a principle of "meriotcracy" where the best code available is adopted, the entire point is to "evolve" the code into better and better versions, in a process very akin to "survival of the fittest".

This just won't happen if no-one reads the code.

So, if you have an active open source project that has released multiple versions over time, you can bet that humans have read the code. The source code for a project like VLC will have been poured over by hundreds of people.

As for your two questions:
(1) but what if the app itself has been installed on 100,000 computers before anybody discovers it?

This is a nightmare situation. Disaster. Fortunately, in the history of open source software distribution via package managers, well over a decade, for many thousands of packages, hundreds of versions, tens of Linux distributions, millions of users, this has never happened.

Contrast this to the millions upon millions of compromised Windows machines that are members of botnets right now.

The proof, as they say, is in the pudding.

(2) Do distro repository admins have the ability to remote wipe apps off computers like Google does with Android?

No, they don't.

The only recourse I suppose is that it is good practice in a Linux installation to separate userland data into a separate partition from the OS itself. It takes about 30 minutes, and zero cost, to put in a new LiveCD, completely wipe the old OS partition and the MBR, then install a fresh version of the OS from the clean LiveCD, re-enter the user account names and passwords, and carry on.

I can't think of any Windows malware, recently, that I have been able to purge in 30 minutes (and perhaps even upgrade the OS and applications at the same time).

Edited 2011-07-12 05:56 UTC

Reply Score: 2

Alfman Member since:
2011-01-28

lemur2,

"This is a nightmare situation. Disaster. Fortunately, in the history of open source software distribution via package managers, well over a decade, for many thousands of packages, hundreds of versions, tens of Linux distributions, millions of users, this has never happened."

It doesn't mean that the code is always secure however. I remember the OpenSSL random number generator glitch on debian which caused keys for SSH/SSL/OpenVPN to be predictable. There was an ~18 month window during which the updated systems generated insecure keys.

http://www.itwire.com/opinion-and-analysis/open-sauce/18213-remote-...

The vulnerability was fixed very quickly once it was reported, but it took a long time to be detected. Not that I think closed source would have been any better - most likely it is never fixed.

Reply Score: 3

lemur2 Member since:
2007-02-17

lemur2,

"This is a nightmare situation. Disaster. Fortunately, in the history of open source software distribution via package managers, well over a decade, for many thousands of packages, hundreds of versions, tens of Linux distributions, millions of users, this has never happened."

It doesn't mean that the code is always secure however. I remember the OpenSSL random number generator glitch on debian which caused keys for SSH/SSL/OpenVPN to be predictable. There was an ~18 month window during which the updated systems generated insecure keys.

http://www.itwire.com/opinion-and-analysis/open-sauce/18213-remote-...

The vulnerability was fixed very quickly once it was reported, but it took a long time to be detected. Not that I think closed source would have been any better - most likely it is never fixed.


This was a bug introduced by a well-meaning Debian maintainer who introduced some "clean-up" code to set some un-initialised variables to zero. Normally this is sound practice, but in this particular instance this change reduced the "randomness" of the generated keys. There was reduced security for SSL on Debian while this bug was in the code, not zero security.

What you are saying here is perfectly correct ... having open source code does not guarantee there will be no unintentional bugs. All code can have bugs, open source or not.

The only thing guaranteed by having the source code visible is that there will be no intentional malware. (By its very nature malware cannot be unintentional).

Reply Score: 2

lucas_maximus Member since:
2009-08-18



This was a bug introduced by a well-meaning Debian maintainer who introduced some "clean-up" code to set some un-initialised variables to zero. Normally this is sound practice, but in this particular instance this change reduced the "randomness" of the generated keys. There was reduced security for SSL on Debian while this bug was in the code, not zero security.


The point of the argument is that just because the source was open doesn't mean problems are easily detected ... whether it was malicious or not is not the point ... have access to the code does not automatically make that code safe ... whatever the intentions of the author.

But whatever continue with your rhetoric.

Edited 2011-07-12 11:53 UTC

Reply Score: 2

lemur2 Member since:
2007-02-17

" This was a bug introduced by a well-meaning Debian maintainer who introduced some "clean-up" code to set some un-initialised variables to zero. Normally this is sound practice, but in this particular instance this change reduced the "randomness" of the generated keys. There was reduced security for SSL on Debian while this bug was in the code, not zero security.
The point of the argument is that just because the source was open doesn't mean problems are easily detected ... whether it was malicious or not is not the point ... have access to the code does not automatically make that code safe ... whatever the intentions of the author. But whatever continue with your rhetoric. "

The methods of open source development and distribution do not provide any assurances against unintentional errors. Neither do the methods of closed source development and distribution. Bugs occur in both.

The only difference, really, is that people find out about the bugs that occurred in open source, whereas as closed source bugs are often hushed up, and surprisingly often they are not even fixed.

As for intentional malware ... this is introduced into the distribution of closed source Windows executables at the rate of approximately two million new pieces of malware code every year.

http://bnn-news.com/kaspersky-20-million-malware-created-2010-30390
https://www.infosecisland.com/blogview/11462-Nearly-Twenty-Million-N...

(Not even I would credit claims of twenty million by anti-malware vendors)

In comparison, intentional malware is introduced into open source repository/package manager distribution channels at the approximate rate of ... never in its history.

Edited 2011-07-13 00:05 UTC

Reply Score: 2

Alfman Member since:
2011-01-28

lemur2,

"There was reduced security for SSL on Debian while this bug was in the code, not zero security."

From what I've read, there were only 15 bits of seed material per key.

"Q: How long does it take a crack a SSH user account using these keys?
A: This depends on the speed of the network and the configuration of the SSH server. It should be possible to try all 32,767 keys of both DSA-1024 and RSA-2048 within a couple hours, but be careful of anti-brute-force scripts on the target server."

http://digitaloffense.net/tools/debian-openssl/


"The only thing guaranteed by having the source code visible is that there will be no intentional malware. (By its very nature malware cannot be unintentional)."

But why not? If a developer was able to introduce a bug which seriously broke security, what prevents someone from doing the same thing deliberately?

A regular contributer (as opposed to a one time patcher) is in a great position to add obscure vulnerabilities. I would hope that regular project contributers are unlikely to have malicious intent, but that's simply an assumption on my part.

Reply Score: 2

lemur2 Member since:
2007-02-17

lemur2, "There was reduced security for SSL on Debian while this bug was in the code, not zero security." From what I've read, there were only 15 bits of seed material per key. "Q: How long does it take a crack a SSH user account using these keys? A: This depends on the speed of the network and the configuration of the SSH server. It should be possible to try all 32,767 keys of both DSA-1024 and RSA-2048 within a couple hours, but be careful of anti-brute-force scripts on the target server." http://digitaloffense.net/tools/debian-openssl/ "The only thing guaranteed by having the source code visible is that there will be no intentional malware. (By its very nature malware cannot be unintentional)." But why not? If a developer was able to introduce a bug which seriously broke security, what prevents someone from doing the same thing deliberately? A regular contributer (as opposed to a one time patcher) is in a great position to add obscure vulnerabilities. I would hope that regular project contributers are unlikely to have malicious intent, but that's simply an assumption on my part.


This is reasonable, but it is beside the point. It hasn't happened IRL in the history of open source repositories/package managers.

Intentional malware is introduce into Windows binary execuatble distribution channels at the approximate rate of two million new pieces of malware every year.

Just getting a handle on the scope of the problem and the performance of the distribution systems here, to help anyone who is having similar difficulties ...

Reply Score: 2

MattPie Member since:
2006-04-18

(2) Do distro repository admins have the ability to remote wipe apps off computers like Google does with Android?

No, they don't.


Kind of. They could "upgrade" the package in the repo with one containing a text file saying 'this package removed because the author is a bad person.'

Similar to the dummy package in Ubuntu that 'provides' mono but doesn't really have anything in it.

Reply Score: 1

tomcat Member since:
2006-01-06

This just won't happen if no-one reads the code.


AND NO ONE DOES. Get over it. You're neither safe nor secure and, even when you get it straight from the source, there could be malware code embedded in the sources that hasn't been caught yet. It all comes down to trust and credibility.

Reply Score: 2

lemur2 Member since:
2007-02-17

"This just won't happen if no-one reads the code.
AND NO ONE DOES. Get over it. You're neither safe nor secure and, even when you get it straight from the source, there could be malware code embedded in the sources that hasn't been caught yet. It all comes down to trust and credibility. "

WTF?

Of course people read the code. What is more, they contribute to it, there are multiple versions released, it gets improved over time.

Here is the story for VLC, which we are using as a convenient example:

http://www.videolan.org/videolan/team/

People from all over the world, totally independent from each other, read the code, contribute to it, and hence end up vetting each other.

There is no need to trust anyone, everyone's self interest alone is enough to ensure the integrity of the resulting code.

Result: there is no malware embedded in the open source code (as produced by this team). Guaranteed. The only thing from that point is that one needs to make sure that the binary one installs one one's system is made from THAT exact same source code.

So, may I ask ... what in heaven's name is wrong with you? WTF is your issue?

Edited 2011-07-12 23:17 UTC

Reply Score: 2

tomcat Member since:
2006-01-06

You're the one that asserted that the user just needs to look at the source code to match up their binaries.

A. They probably don't have that level of capability.
B. They wouldn't know where to look, even if they did.
C. There's no guarantee that the sources don't have time-bomb malware embedded in them; because the end -user has to trust that the maintainers are doing the due diligence, looking at the code, etc.

In other words, it all comes down to TRUST and CREDIBILITY of the maintainers. That's it. But since the end user doesn't know how to validate that TRUST and CREDIBILITY -- may not even know where the project is located -- the end result is a crap shoot. Ergo, do I feel lucky enough to install this POS package...

Reply Score: 2

lemur2 Member since:
2007-02-17

You're the one that asserted that the user just needs to look at the source code to match up their binaries. A. They probably don't have that level of capability. B. They wouldn't know where to look, even if they did. C. There's no guarantee that the sources don't have time-bomb malware embedded in them; because the end -user has to trust that the maintainers are doing the due diligence, looking at the code, etc. In other words, it all comes down to TRUST and CREDIBILITY of the maintainers. That's it. But since the end user doesn't know how to validate that TRUST and CREDIBILITY -- may not even know where the project is located -- the end result is a crap shoot. Ergo, do I feel lucky enough to install this POS package...


No, you have misunderstood. Just ONE person, somewhere, needs to compile the source code downloaded from source code repositories to make sure that it produces the same binary as that in the repository.

This is always done, purely through self interest, because at least one person somewhere (out of millions of users) won't trust the repository maintainers.

Everyone else who uses the distribution's package manager to install software necessarily gets the same independently vetted binary, even if they never download the source code.

http://www.ubuntu.com/ubuntu/features/ubuntu-software-centre

There is no way to give just one person a correct, clean package, and everyone else a malware-infected one. This is assured twice over, firstly because the repository people cannot tell if a given downloader is competent to compile the package or not, and secondly because the packages are signed at the repository by the repository private key, and every running copy of the package managers has a copy of the corresponding repository public key.

Edited 2011-07-13 01:45 UTC

Reply Score: 2

jabbotts Member since:
2007-09-06

That's kind of a strength for repository distribution.

A buggy program gets through and installed on a thousand systems. The bug is discovered and fixed promptly. Those thousand systems have access to the update as soon as it's available in the repository. Tada.. no more thousand computers with that previous vulnerability.

Heck, how is this any different than Windows? A buggy program gets through and installed on a thousand systems. The bug is discovered and fixed (er.. promptly?). Those thousand systems access to the update as soon as the next month's second Tuesday hits. Tada.. no more thousand computers with that previous vulnerability.

The strength is the fact that the central repo distributes the updated version to all those machines previously affected. If it's a well run repo they will also re-evaluate management processes and fix what allowed the malicious code to remain undetected during vetting.

Granted, some distributions manage repositories better than other's. There has really been very little issue with Debian's Unstable to Testing and periodic Testing to Stable management process. OpenSSL had a Debian specific vulnerability that remained undetected for about a year then was promptly fixed when discovered (the openssl maintainer made changes without consulting cryptographic experts; ie.

Reply Score: 2

Soulbender Member since:
2005-08-18

Somewhat paradoxically, this is exactly the reason why source code availability guarantees absence of malware.


I think your argument is somewhat contradicted by the topic we are actually discussing.

If anyone can look at the source code, and compile it for themselves to check that the distributed version matches that source code then the distributed version won't contain malware.


There's nothing stopping the bad guys from still distributing malware in the binary to people who do not know better.

It would take only one person to spot any malware and blow the whistle, it isn't as though everyone has to look at the source code.


That's not the point. It's no big secret that the wares these low-lives peddle is malware. Even if it was open-source it would still be downloaded by people who, for one reason or the other, do not know better (I dont mean this in a negative way, btw).

If you can do that ... this is the ONLY reliable known way to be assured that software that you download is malware free.


No, the only way to be assured that it is malware free is by building it yourself from source that you also inspected. In every other case you're putting a certain amount of trust into the system and the people.

Reply Score: 2

lemur2 Member since:
2007-02-17

"Somewhat paradoxically, this is exactly the reason why source code availability guarantees absence of malware.
I think your argument is somewhat contradicted by the topic we are actually discussing.
If anyone can look at the source code, and compile it for themselves to check that the distributed version matches that source code then the distributed version won't contain malware.
There's nothing stopping the bad guys from still distributing malware in the binary to people who do not know better.
It would take only one person to spot any malware and blow the whistle, it isn't as though everyone has to look at the source code.
That's not the point. It's no big secret that the wares these low-lives peddle is malware. Even if it was open-source it would still be downloaded by people who, for one reason or the other, do not know better (I dont mean this in a negative way, btw).
If you can do that ... this is the ONLY reliable known way to be assured that software that you download is malware free.
No, the only way to be assured that it is malware free is by building it yourself from source that you also inspected. In every other case you're putting a certain amount of trust into the system and the people.
"

Why did you omit the critical bit of text in my post?

Here, I will replicate it for you: "Mind you, you have to be able to get the binary version and the source code from the same place. If you can't do that ... all bets are off."

Without that proviso, as I said, all bets are off. In fact this very case shows this point quite well ... the source code for the fake VLC (+malware) was NOT avialable to anyone. It certainly was not available from the same place as people were downloading it from.

With that proviso ... the record is pretty damn good.

As far as "trust" goes ... as long as someone can download the source code and compile it, and verify that the source code does actually make the binary that is being distributed ... and also that the development involves multiple people and can be seen by everyone in plain sight ... then no, trust is not necessary. Pure self-interest is enough to ensure the integrity of the project in this case.

Edited 2011-07-12 06:06 UTC

Reply Score: 2

Alfman Member since:
2011-01-28

lemur2,

"As far as 'trust' goes ... as long as someone can download the source code and compile it, and verify that the source code does actually make the binary that is being distributed ... and also that the development involves multiple people and can be seen by everyone in plain sight ... then no, trust is not necessary. Pure self-interest is enough to ensure the integrity of the project in this case. "

I do have some questions here:

1. Even if some source were provided, how would a typical user get it compiled?

Even as a dev, source code can be frustratingly difficult to compile. Wrong compiler, wrong switches, external dependencies, etc.

2. How does a user/dev confirm that a binary was generated by the provided source?

The user may not have the exact same compiler and switches and libraries as the dev. The compilation step may be non-deterministic (compile time info in exe). The result would be binaries which do not match, and we have no idea if the binary contains malware.

Reply Score: 2

lemur2 Member since:
2007-02-17

lemur2,

"As far as 'trust' goes ... as long as someone can download the source code and compile it, and verify that the source code does actually make the binary that is being distributed ... and also that the development involves multiple people and can be seen by everyone in plain sight ... then no, trust is not necessary. Pure self-interest is enough to ensure the integrity of the project in this case. "

I do have some questions here:

1. Even if some source were provided, how would a typical user get it compiled?


This depends on the particular distribution. Gentoo and Sabayon package managers download, compile and then install the resulting binaries automatically. Ubuntu, Debian, RedHat, OpenSuse and others have duplicate repositories ... one for the source code and one for the resulting binary as compiled by the repository maintainers. Software can be downloaded and installed from either repository. Each and every user is in a position to verify that the source code does indeed produce the binary. Most users just install from the binary repositories, safe in the knowledge that other users audit this for them.

Even as a dev, source code can be frustratingly difficult to compile. Wrong compiler, wrong switches, external dependencies, etc.


All taken care of automatically by the package managers.

2. How does a user/dev confirm that a binary was generated by the provided source?


Download both the source and the binary (integrity of downloads is assured via key pair encryption. Repository public keys are distributed with the LiveCD initial distribution installer). Compile the source locally. Compare the binaries using diff, cmp or md5.

The user may not have the exact same compiler and switches and libraries as the dev. The compilation step may be non-deterministic (compile time info in exe). The result would be binaries which do not match, and we have no idea if the binary contains malware.


The compiler is part of the Linux distribution. Normally it is gcc.

The switches for the compiler are set by the scripts run by the package managers. Make files and whatever else needed are part of the source code packages.

Edited 2011-07-12 09:50 UTC

Reply Score: 1

saynte Member since:
2007-12-10


All taken care of automatically by the package managers.


Not really, see for example Debian's instructions on how to build from source:

http://www.debian.org/doc/FAQ/ch-pkg_basics.en.html#s-sourcepkgs

This isn't really something a normal user would want to get into, I think. It's certainly not performed by the package manager.

For source-based distributions this would work though, as their package managers are also essentially build systems.


Download both the source and the binary (integrity of downloads is assured via key pair encryption. Repository public keys are distributed with the LiveCD initial distribution installer). Compile the source locally. Compare the binaries using diff, cmp or md5.


Binary comparison wouldn't work unless you had the exact same development toolchain (versions of gcc, ld, etc) as whomever compiled the original. Even within a particular distribution version this may not be the case through updates and fixes to the toolchain.

Reply Score: 1

talaf Member since:
2008-11-19

Yep, it would be very hard to compare binaries resulting from source compilation on different versions of toolchains, especially since alot of effort and tools are made exactly to ensure that you may compile something everywhere given some basic toolchain and the right library.

That said, I'm not a novice, and I'd trust official repositories. Bad things may happen, but that's true of any platform, the less likely the better!

PS : to the post-scriptum to the manifesto before, could you stop being a gigantic manichean ass and accept that some people do NOT bash Linux nor OSS, but may prefer paid and/or closed software? I use Windows, FreeBSD and Linux, what does that make me, multiple personality disorder or something? -_-"

Reply Score: 2

lemur2 Member since:
2007-02-17

Binary comparison wouldn't work unless you had the exact same development toolchain (versions of gcc, ld, etc) as whomever compiled the original. Even within a particular distribution version this may not be the case through updates and fixes to the toolchain.


The toolchain which builds the distribution is distributed along with the distribution.

The toolchain components are also updated via the package managers just the same as any other packages are.

Savvy users who keep their systems up to date are able to build source code packages in exactly the same way as the repository maintainers do, using the exact same toolchain. Why should they NOT be able to? It is not as though there is an expensive toolcahin for anyone to buy ...

Reply Score: 2

lucas_maximus Member since:
2009-08-18

All taken care of automatically by the package managers.


so effectively to a non-savvy user ... it is effectively a compiled binary blob and you are only trusting on the good intentions of the package maintainer ...

Your arguements are ridiculous.

Reply Score: 2

tomcat Member since:
2006-01-06

"All taken care of automatically by the package managers.


so effectively to a non-savvy user ... it is effectively a compiled binary blob and you are only trusting on the good intentions of the package maintainer ...

Your arguements are ridiculous.
"

Look, give him his illusion of safety/security wrt GPL. He's clearly not dealing well with our present reality.

Edited 2011-07-12 20:04 UTC

Reply Score: 2

lemur2 Member since:
2007-02-17

"All taken care of automatically by the package managers.
so effectively to a non-savvy user ... it is effectively a compiled binary blob and you are only trusting on the good intentions of the package maintainer ... Your arguements are ridiculous. "

Indeed, non-savvy users are of no help in vetting that the downloaded source code produces the same binaries as the downloaded binaries.

However, because of the key pair encryption, all users of package managers are guaranteed to get the same packages from the repositories. The packages are all signed using the private key of the repository maintainers, and the package managers all have a copy of the public key.

This means that savvy users and non-savvy users get the same packages. Guaranteed.

Savvy users ARE able to verify that the source code packages produce the same executable as is contained in the binary packages. If any single such a user receives any packages for which this is not so, they will blow the whistle. News of such an event would be all over the Internet is hours, it would be a sensation. Windows apologists such as yourself would jump all over such a story with glee.

Bear in mind that IRL it has never happened, though.

This is the story of open source software distribution using repositories and package managers. There is no "trusting" required, the simple operation of self-interest is sufficient.

Argue against this story ... and not some fantasy you have imagined. Your actual argument above is a logical fallacy called a "strawman".

Edited 2011-07-12 23:48 UTC

Reply Score: 2

Alfman Member since:
2011-01-28

lemnur2,

"Each and every user is in a position to verify that the source code does indeed produce the binary. Most users just install from the binary repositories, safe in the knowledge that other users audit this for them."


I think we're overlooking an obvious attack vector though, if I'm a malicious repository maintainer and want to attack a target, then I will release legitimate source/binaries to everyone except my target, who might feel safe in the knowledge that other users have audited it for them.

Reply Score: 2

lemur2 Member since:
2007-02-17

lemnur2, "Each and every user is in a position to verify that the source code does indeed produce the binary. Most users just install from the binary repositories, safe in the knowledge that other users audit this for them." I think we're overlooking an obvious attack vector though, if I'm a malicious repository maintainer and want to attack a target, then I will release legitimate source/binaries to everyone except my target, who might feel safe in the knowledge that other users have audited it for them.


The exchange between the repositories (which everyone uses) and the end users system is protected via key pair encryption. The public key of the repository is distributed to users via the installation CD of the Linux distribution ... so a user cannot install Linux without getting a correct copy of the public key. Therefore, users are assured, via the package managers, that downloaded packages were prepared using the secret private key of the repository.

There is no way to "release legitimate source/binaries to everyone except my target". Everyone gets the same packages.

Reply Score: 2

Irony
by avgalen on Tue 12th Jul 2011 03:31 UTC
avgalen
Member since:
2010-09-23

So Google provides a search engine and adwords that promote these fake downloads....
and they also provide the Chrome browser that has a "check malicious downloads" feature.

I guess they really did think this thing through ;)

Reply Score: 1

RE: Irony
by lemur2 on Tue 12th Jul 2011 03:59 UTC in reply to "Irony"
lemur2 Member since:
2007-02-17

So Google provides a search engine and adwords that promote these fake downloads.... and they also provide the Chrome browser that has a "check malicious downloads" feature. I guess they really did think this thing through ;)


I'm not sure about that ... "Irony" is saying the opposite of what you really mean.

http://dictionary.reference.com/browse/irony
"the use of words to convey a meaning that is the opposite of its literal meaning"

What Google have effectively said is self-consistent! ... twice they have indicated that you really need something to check Windows binary executable downloads, otherwise if you don't somehow check you may well get malware.

Reply Score: 2

RE[2]: Irony
by avgalen on Wed 13th Jul 2011 03:11 UTC in reply to "RE: Irony"
avgalen Member since:
2010-09-23

I agree that these two occurences are self-consistent. There is malware on the net, so Google is correct in providing a scan-mechanism.
The irony is of course that Google helps to promote (adwords) and find (searchengine) the malware which is not behavior that you would expect from someone who builds a browser with a scan-mechanism for malware:

from the same link as you provided (http://dictionary.reference.com/browse/irony)
5. an outcome of events contrary to what was, or might have been, expected.

Reply Score: 1

RE[3]: Irony
by lemur2 on Wed 13th Jul 2011 03:17 UTC in reply to "RE[2]: Irony"
lemur2 Member since:
2007-02-17

I agree that these two occurences are self-consistent. There is malware on the net, so Google is correct in providing a scan-mechanism. The irony is of course that Google helps to promote (adwords) and find (searchengine) the malware which is not behavior that you would expect from someone who builds a browser with a scan-mechanism for malware: from the same link as you provided (http://dictionary.reference.com/browse/irony) 5. an outcome of events contrary to what was, or might have been, expected.


Fair enough. My comment was a bit tounge-in-cheek and I shouldn't expect people to pick up on that. I guess we need <humour> tags as well as <sarcasm> tags, hey?

Edited 2011-07-13 03:23 UTC

Reply Score: 2

Comment by kaiwai
by kaiwai on Tue 12th Jul 2011 06:19 UTC
kaiwai
Member since:
2005-07-06

Could someone please explain to me why anyone would download something from a non-official website? ok, I'll put my 'novice' hat on for a moment and I'm surfing the internet - do I download something off a non-official website or do I decide to get the file straight from the source? It truly is amazing when I see idiots go off to 'file download websites' ('BrotherSoft' and 'FileHippo' being two that come to mind) when they could easily go directly to the official website and grab it off there.

I feel sorry for VLC (btw, is their name trademarked?) but I have absolutely no sympathy for end users who download stuff from third parties.

Reply Score: 3

RE: Comment by kaiwai
by lemur2 on Tue 12th Jul 2011 06:25 UTC in reply to "Comment by kaiwai"
lemur2 Member since:
2007-02-17

Could someone please explain to me why anyone would download something from a non-official website? ok, I'll put my 'novice' hat on for a moment and I'm surfing the internet - do I download something off a non-official website or do I decide to get the file straight from the source? It truly is amazing when I see idiots go off to 'file download websites' ('BrotherSoft' and 'FileHippo' being two that come to mind) when they could easily go directly to the official website and grab it off there. I feel sorry for VLC (btw, is their name trademarked?) but I have absolutely no sympathy for end users who download stuff from third parties.


To me, it is a question of user expectations. The "paradigm", if you will.

In Linux distributions these days, to install software the natural first port of call is the package manager.

On Windows machines, for many, many users, the first port of call might be a site like this:

http://majorgeeks.com/

Now such a site will do its best to protect its users, but no matter how hard they try, if the normal case is that authors of the software they link to can hide their source code from inspection by anyone else, then some malware trojans will get through. It is inevitable.

It is just the way it is. Hence the multi-million-strong legions of Windows machine botnets.

Reply Score: 2

RE: Comment by kaiwai
by lemur2 on Tue 12th Jul 2011 06:49 UTC in reply to "Comment by kaiwai"
lemur2 Member since:
2007-02-17

I feel sorry for VLC (btw, is their name trademarked?) but I have absolutely no sympathy for end users who download stuff from third parties.


http://blog.l0cal.com/2011/07/07/these-companies-that-mislead-our-u...

VLC say: "We now have trademarks in most European countries, unfortunately still not in the US"

Reply Score: 2

D'oh!
by marcp on Tue 12th Jul 2011 12:40 UTC
marcp
Member since:
2007-11-23

Oh, dang it ... !!!

Just download from the ORIGINAL source. If someone is just plain stupid and downloads from some popup/ad, then it is not your problem, VLC guys!

You did some really outstanding job with VLC player. It is a swiss-army video knife, one of the best codecs-free [bundled] players out there. That's the problem - popularity. Just get over it and do your work explaining everything on your website.

Stupid people need to educate themselves, really ...

Reply Score: 3

RE: D'oh!
by AlephZero on Tue 12th Jul 2011 14:04 UTC in reply to "D'oh!"
AlephZero Member since:
2011-07-12


Just download from the ORIGINAL source. If someone is just plain stupid and downloads from some popup/ad, then it is not your problem, VLC guys!

Stupid people need to educate themselves, really ...


You're right, but the problem here is dual:

1) The users that downloaded the program actually downloaded VLC + other cr@p. Infected users could say "I installed VLC and my computer now is 3x slower", blaming VLC for a crime it didn't commit

2) The malware could potentially make the host computer part of a botnet, potentially harming other people. Malware should NEVER be allowed in a computer!

Reply Score: 2

RE[2]: D'oh!
by marcp on Tue 12th Jul 2011 21:02 UTC in reply to "RE: D'oh!"
marcp Member since:
2007-11-23

Hey, come on, mate ... it's illogical.

Here's the correct chronology:
USER downloads something from WRONG source => USER gets infected and its computer becomes part of the botnet.

It has NOTHING to do with VLC, really.
It's all about STUPID [unskilfull if you wish] USERS.

Please, don't blame your god for the murders people commit ...

Reply Score: 2

RE[3]: D'oh!
by AlephZero on Wed 13th Jul 2011 13:27 UTC in reply to "RE[2]: D'oh!"
AlephZero Member since:
2011-07-12


USER downloads something from WRONG source => USER gets infected and its computer becomes part of the botnet.

It has NOTHING to do with VLC, really.
It's all about STUPID [unskilfull if you wish] USERS.


Of course it has nothing to do with VLC; "unskillful" users could be infected through *any* malware lure (fake antivirus, etc.).
But then, what the VLC guys are complaining about ?
To quote Fauvet

This [malware spread by bad VLC] is not acceptable. The result is a poor product that doesn't work as intended, that can't be uninstalled and that clearly abuses its users and their privacy.

They do not want their (potential) users to become infected with malware, simple.
Let's hope that Google will try to countermeasure this. It already did with fake sites that replicated content from stackoverflow.com and the likes.

Reply Score: 1

not necessarily...
by TemporalBeing on Tue 12th Jul 2011 17:01 UTC
TemporalBeing
Member since:
2007-08-22

Not only does this violate the GPL - it's pretty damn low, too.


While I don't agree with what they are doing, they are not necessarily violating the GPL. It is a matter of whether they make the source available for the VLC software to whomever they distribute or not. (They do not necessarily need to make the source for their malware available if it is just sharing the installer.)

IANAL that's just how I see it.

Reply Score: 2

siraf72
Member since:
2006-02-22

"so it fascinates me to no end"

the use of "to no end" AFAIK implies to no avail. i.e you were fascinated but alas, it was a waste of time"

on the other hand to say "it fascinates me no end" is english informal that implies there was no end to your fascination.

You may now go about your business. And please feel free to correct me if I'm wrong and if you have nothing better to do.... like me.

Reply Score: 1

Unionize !
by Kochise on Wed 13th Jul 2011 04:41 UTC
Kochise
Member since:
2006-03-03

VLC just should stop releasing and close its web site until the "affair" is solved. I'm sure that would move people...

Kochise

Reply Score: 2

Somebody contact Senator Leahy
by vitae on Thu 14th Jul 2011 00:23 UTC
vitae
Member since:
2006-02-20

He's so busy being in the pockets of the MPAA and RIAA, making news laws to regulate the web, he ought to make himself useful in doing something about malware instead.

http://leahy.senate.gov/

Or failing that, ask him how much of a campaign contribution (bribe) it takes to buy him.

Reply Score: 2