Re: Video editing in Linux?

From: Ian Molton (spyro_at_f2s.com)
Date: 11/02/04 

Date: Tue, 02 Nov 2004 02:51:13 +0000

SjT wrote:
> I'm with stupid ---> Ian Molton <spyro@f2s.com> wrote:

Could you cut that out? its more than slightly childish.

>>security holes are due to bugs. OSS and CSS have bugs. the only issue is
>>how fast they are found and fixed. The faster the more secure.
>
> No they are not always bugs thats incorrect, if you have the source
> code for the application in question then you can write an exploit
> into the code and but it up for distribution surely?!

Sure. I could write an exploit into the linux kernel source NOW and have
'ianlinux 2.6.9' available to download on mnementh.co.uk inside minutes.

are you seriiously suggesting people will flock to my site to download
ianlinux in preference to the real deal?

perhaps they will. more fool them. They should have checked the linux
sourcecodes signatures. alternativly they could have run a diff over
ianlinux compared to mainstream linux and the exploit would be
immediately obvious.

And are you suggesting hacked CSS like (say) norton isnt floating about
on kazaa? CSS can be hacked just as easily. you dont need to understand
what a program is doing in order to hijack it and add a backdoor. In
many cases the original program doesnt even need to continue to work, as
long as the hack installs the backdoor - the user will just think 'oh,
my dodgy copy doesnt work... ah well.'

> What kind of protection is employed to prevent this from happening? i
> know you've mentioned digital signing, is that something that the
> original author would pay and have submitted?

No. its completely free. Perhaps you should read around the subject?

>>no, we get it from official download sites for the various projects.
>>there are signatures we can use to check the integrity of the downloads.
>
> Well someone laughed at me when i mentioned there were top linux
> groups out there for this purpose?!

download site != group.

> Anyway, just because you do that Ian, doesn't automatically mean that
> everyone else do it, what if the app you require doesn't appear on the
> official download site?

All current linux apps have official download sites. As with CSS, when
you use a legacy binary from an unknown website, you takes your chances...

Hopefully youd run the untrusted binary in a chroot or such to minimise
any impact...

>>how do you suggest the malicious code is injected?
>
> You don't need to inject it, you bring up the source code and
> incorporate it into the original source, failing that you could put it
> in one of the files rthat main.c calls.

You really have no idea how C works do you?

>>*IF* such a modification ever made it into the code, it would be spotted
>>quickly by any competant OSS *OR* CSS developer.
>
> This is what i can't get my head around, at which point would it be
> spotted?!

The modification would have to go through a project developer to get
into the official package. they would run a diff and would reject any
code they didnt agree with / understand the purpose of.

> who has the job of reading through the source code?!

Er. The package maintainers. duh. the advantage with OSS is that ANYONE
ELSE can read through too, which helps catch the (rare, very rare) thing
that might slip through. with CSS you'd never know, and youd have to
trust the developers. Remember the backdoors Id put in quake?

>>And if you run software from just anywhere or Kazaa! you get what you
>>deserve, no matter what your OS is.
>
> Some people do not have web access as so choose to download through
> P2P's or newsgroups.

As long as you verify package signatures, that should be fine.

> People do use P2P's, with CSS the majority of known malicous code
> would be spotted through the use of a virus checker, however OSS would
> allow anyone with a small amount of coding knowledge to perform god
> knows what on your machine.

Huh? both CSS and OSS are streams of data when downloaded. what makes
you think automated checking of one is possible but not the other?

>>Moronic users has always been a security risk.
>
> Would you say that OSS would be more risky for moronic users than CSS
> then?

No, I'd say it'd be exactly the same.

>>Wheras under linux the odds are the problem is FIXED before any tempory
>>hack is even needed. and linux updates never needlessly reboot the
>>machine. there is ONE update that requires a reboot and thats an actual
>>change the the core kernel itself, which is about a once-a-year event at
>>worst.
>
>
> In that case it's no different to my win2000 server beside me then ;)

M$ have never produced a patch in under a day. dont bull***. and your
'server' isnt sitting out there in the wild, its a poxy no-load internal
nothing server.