Re: Video editing in Linux?

From: Ian Molton (spyro_at_f2s.com)
Date: 11/03/04 

Date: Wed, 03 Nov 2004 15:02:10 +0000

SjT wrote:

>>>No as the malicious version, say, open office for example, would run
>>>totally normal for months and months until that person suddenly finds
>>>out that they've been had either by some serious CC theft or just
>>>reading a news item somewhere.
>>
>>and this is a OSS specific problem because?
>
> Because the possibility exists that you may be able to modify that
> source code and have it accepted to appear on the official site, it
> only takes a lapse and for it to be up for a day.

Such a lapse has not happened in any mainstream linux OSS project I am
aware of to date.

> I'm just thinking of possibilities i'm not saying it is happening or
> it will happen.

Its no more or less likely than a maliciously modded CSS binary. CSS
binaries have the *dis* advantage that you cant compile another one and
compare it to the one you have, by the way, thus making it *impossible*
to check the validity of the binary without co-operation from the vendor
(not always available).

>>>all i gotta do is take the source file and add my own routine
>>>in there and send it on for someone to use..
>>
>>Thats not hacking a program its social engineering. you could take a
>>shellscript that does 'rm -rf /*' and name it 'openoffice.exe' and
>>convince some schmuck to run it.
>
> Yes, but they won't be running that day after day completely oblivious
> to what is happening would they?!

They wouldnt need to.

besides, what about a script like

run malicious keyboard scanner in the background
run real application

that can and does go undetected for months at a time.

> It is totally viable that you could modify the source code out there
> to perform pretty much any task you wanted it to. Getting it through
> the checkers is another issue of course, but it will be breached if
> enough people try

I disagree. if a maintainer hasnt got time / inclination to check they
wont just accept it, they will drop it.

>>Do you know what 'hacking' is?
>
> no, sorry, not a clue.

Clearly.

>>>When i get linux i will modify some code and send to you, just
>>>something silly like deleting files or something along those lines.
>>
>>I'll happily NOT execute it then. Your challenge is to get the malicious
>>content onto my machine AND executed.
>
> Why the *** would i want to do that to you? I haven't got the time
> or the desire to screw other people's machines up.

To prove your assertion that its easy. I promise I wont sue you.

>>The way you talk about main.c 'calling' other things, for one. Your use
>>of language in this field makes it clear you are far from an expert.
>
> So you cannot call subs or functions from main.c then?

Correct.

> Are you mad?!

nope.

main.c doesnt call ANYTHING.

when you compile main.c, assuming we're talking of a multi-file project
here, which you clearly are, you will get a main.o object file, with
unresolved references in it. you will also get .o files for your other
source files and once you have them, you use a linker to resolve
internal and external interdependancies in the object files. At run
time, the dynamic linker resolves any remaining library references (dlls
on windows).

but main.c doesnt call squat, and in fact you could sub in a completely
different set of .o files as long as the references match up, and main.c
wouldnt have a clue you did it. The program might behave in a completely
different manner too.

eg. main.c looking like

int main(void) { // yeah, improper prototype I know */
     do_something();
     return 0;
}

would compile with a reference to do_something() which could be ANY
function in ANY other source file, which (when compiled) had the same
symbol (do_something).

>>Perhaps you are, but you'll forgive me being cynical when I rebut your
>>point and you come back along these lines :
>>
>>You: P2P is all about piracy
>>Me (rebuttal): LFS uses bittorrent to distribute its sourcecode legitimately
>>You: yeah, well, uh. *bit torrent sucks*.
>>
>>Im sure you see my point.
>
> If you rephrase it like that, sure you may have a point, but the point
> i made was that not everyone can use bittorrent,

I never claimed everyone could.

> a few ISP's block
> ports 7001-7009 so forcing you to use alternatives causes a very very
> slow download rate which is near unuseable.

Huh? are you seriously suggesting some port numbers are slower than others?

>>UTTER crap. Before I came to use linux on a day to day basis I used a
>>small british OS called RISC OS, which was very good in its day and to
>>this day continues to be a source of innovative new software.
>
> Yeah i've used RISC OS, as you say, very good, excellent at
> multitasking.

Actually RISC OS uses co-operative multitasking and any one app could
hang the system easily. so no, not really.

RISC OSes strength was a GUI which has almos the same flexibility as a
commandline. its REALLY well layed out.

> Not true, alot of hardware is cheap because they know the majority
> would be using it on windows,

That wasnt the case 15 years ago when all this started.

> therefore they can take the option of
> utilizing the cpu through windows to process what would normally be
> done in hardware (i.e. like a winmodem).

The 'winmodem' is the only REAL example of this type of thing. not much
else does its DSP work in software, barring audio.

Graphics cards do a TINY amount of emulation, and my DVB TV tuner lets
the CPU handle mpeg decode, but thats not exactly a windows specific
acceleration.

All this came AFTER windows was dominant anyway - because if the
manufacturwers knew they could sell enough to putrely windows users to
get away with it. this wasnt the CAUSE of windows rise.

> That has bought hardware prices down, as the hardware only solutions
> have to be competitive, on top of that Microsoft push alot of money
> into pushing windows into homes and businesses and so the amount of
> users grow, hence the hardware sales increases, thus lower prices.

Indeed. the product is not being pushed on its own merits - hardly fair.

> I don't know about monitoring your data from the radio, but all those
> tasks are miniscule, i doubt your cpu even hits 10% of its potential

Im talking 2048 point fourier transform...

> (Thats assuming you have a modern processor) until you play a game or
> re-encode video, hardly what i would define as pushing an OS.

Hrm. Quake3 uses about 5%-10% of my CPU time (under linux). so much for
that theory. all modern (3d type) games push the video card FAR harder
than the CPU.

> I'm not saying you should switch to windows?!
>
> It's horses for courses, the only option that appeals to me in that
> paragraph is an efficient filesystem of course, i dont want 7 virtual
> desktops or a super fast network performance at home, i just want
> software that does what i want and enhances my creativity, not stifles
> it.

I dont see how having multiple desktops or good network performance
could stifle your productivity.

>>I care. If it wasnt for the stolen code M$ would have had to write it
>>themselves. instead they used the advantage to crush their competition,
>>resulting in a stagnant (albeit cheap) market with no real innovation.
>
> Not true, you have that 'innovated' option with linux, surely?
> Although what you would call innovation others would label as change
> and would not be happy with it.

Theres not much 'innovative' in linux, its a fairly typical unix class
OS. It is reasonably well written and has a lot fo reasonably well
written software available for free.

Not to say there is nothing innovative about linux but really innovation
only hapepns at the very edge of the software world (no matter what your
OS is).

> MS have a great business model, and it is frustrating if you dont like
> them, but take your hat off at what they've done in a business sense ,
> they are a very aggresive company.

the USA is aggressive in its international relations, yet I doubt many
would take their hat off to them...

>>and for the incompetant ones, simply rename nuke.exe to norton_setup.exe
>
> But that's not modifying the norton code is it?! nuke.exe would be
> eaten up by the virus checker upon coming down from the net.

I suggest you test your theory there. I bet you a script containing that
code would sail straight through.

> I'm specifically talking about modifying software to run code that is
> imbedded within the original source code, not tagged onto the end of
> the file, not renaming a file to something else, actually built within
> the core functions of the software.

Why do it the hard way, especially when it makes detection easier?

>>If I did that here, the worst I would do is wipe out my user data files.
>> My OS would remain untouched. (barring a kernel or SUID binary bug, of
>>which there are no currently exploitable examples)
>
> Whatabout running a server which opens your ports? or permissions to
> delete/rename files on your HDD's?

On linux when you run a program it runs with the priveliges of the user
who launched it. since the applications and system setup are owned by
root, and any non-stupid user would never be running as root, it is
impossible (barring an exploitable kernel bug) to alter those files.

> I can't see how you can run read-only rights when re-encoding video
> for example.

I didnt say read only. you can set things up so that you cant (as a non
root user) execute software that wasnt installed by root. thus even if
you did download a virus, it'd be owned by yourself and thus could not
be executed.

for non executable files, you would still have full read/write capability.

>>maintainer. the would read the patch and see something like
>>
>>- security_check()
>>+ /* Remove temp files */
>>+ rm -rf *
>>+
>>and I would hope any smart developer would at least check that out.
>
> What?! You wouldn't go down that path at all, besides that looks more
> like a batch/script file to me, if attempted to compile it i would
> expect to see some errors!??

Its intended to give you some idea of what a (unified diff style) patch
looks like.

> You would hide it amongst other code, i.e. add a function into one of
> the files defined as an include and call it when required later in the
> code.
>
> So many options as you well know.

patches ONLY show the *differences* between the original and the
modified version. any attempt to insert malicious code would stick out
like a sore thumb. thats the reason large patches are often rejected out
of hand btw - they are too hard to read properly.

> And what if the app in question requires admin rights? Would you
> question that?

I certainly would. but you can still test those by using a chroot
environment, the rest of the system remains safe. (to a point).

>>Sometimes a person or group of people take a project and 'fork' it into
>>two seperate projects. often the forks develop for a while and then
>>merge back into the original project. sometimes they become new projects
>>in their own right.
>
> Is there ever a time when code is not approved for being too big or
> deemed not to be useful, yet there is a demand for it so to obtain
> this 'extra' version you would have to use non-official means?

Yes, however then you are really on your own and likely heading into
developer-only sort of territory. One cant defend a truely determined
idiot...

> It's hardly doing nothing.. it's serving all our users here, admit it,
> in the right hands windows is pretty useful and does what it says on
> the tin ;)

You mentioned its serving about 2-3000 emails a day. a 386 could do that
running linux...

> Although saying that we had a power cut yesterday and the frigging UPS
> failed on us, so it has gone down! You caused this! ;)

Bwhahahaha :-)

>>9/11? ROFL yeah ok. btw, its 11/9 in the civilised world :-)
>
> You don't think then?
>
> I know here at work we've seen nothing like it before the 911

smap was onthe increase before it and has been ever since then. I saw no
sharp rise.

>>Blanket statements are bad, but basically, nothing. a firewall doesnt
>>hurt and will help you detect anything untoward. virii on unix type
>>systems are nonexistant despite the fact that the majority of the
>>(servers on the) net use it, and would be supremely plummy targets
>>thanks to their phat connections.
>
> So virus's are a possibility on Linux, its just that they dont exist?

Given ANY software can have bugs, they are a possibility on ANY system.

It happens that linux is well though t out enough that despite
considerable incentive there are no current examples out there. there
was a work that targetted specific redhat machines once but that was a
long while back now.

> Pretty interesting stuff that, what firewall would you recommend?

Linux kernel has a very efficient well thought out stateful firewall
built in. you need the iptables software to control its behaviour.

>>Look, if you bought the thing for windows and its drivers sucked youd
>>have taken it back. either treat linux the same way or stop whining as
>>you only have yourself to blame on this one. I will *bet* it wasnt the
>>only device able to perform that well, there were HUNDREDS of TAs to
>>choose from at that time.
>
> Well no doubt if i was prepared to wait long enough asus would have
> put good drivers up, i dont know, i just wasnt prepared to sacrifice
> windows functionality for a linux play-around.

Which is exactly what I said - you bjuought it with windows more in mind
than linux, and you got what you payed for.

>>[DSP work]
>>You say that DSP work isnt CPU load dependant. You are WRONG. just
>>because you have a blazingly fast CPU doesnt mean this isnt true, it may
>>simply make it irrelevant for you.
>
> I said that the DSP latency does not differ when put under load, i
> used to run VST on a 400mhz machine comfortably, the only limit
> regarding the cpu was how many effects could be processed, if my max
> was 10 then no matter whether i was using 1 or 10 the latency did not
> alter.
>
>
>> "Upgrading my CPU recently i gained the benefit of adding more FX
>> and instruments, no more latency though."
>>
>>See?
>
>
> Yes it didn't affect latency which, your point that latency would be
> affected when the cpu was under load is incorrect.

Look, some DSP processes are commutative (use a dictionary). Others
arent. there are, IOW, some effects where (theoretically) a near
infinite number can be layered without any slowdown. If you use ONLY
those, I'll agree with you.

HOWEVER not all effects can be done this way. you ARE WRONG.

>>Oh btw, you claim 3ms latency on your system and think its good? I've
>>just done some research and found that this was the level linux was at a
>>few years ago (2.2.10 kernel era) and on a 350MHz K6-II at that. Further
>>googling found a quote from one of the linux developers as follows:
>
> *snip*
>
> I was referring that windows can turn around my line-in source, add
> several effects on to it, play soft synths in real time and god knows
> how many other audio tracks with real time DSP on them, all within
> 5.33ms.
>
> Linux at the moment can't even do that due to the software not
> existing, so it cannot be compared.

the software does exist, in at least 5 or six different projects that
you can choose from.

>>Cubase equivalent - rosegarden
>>premiere equivalent - cinelerra
>>media players: xmms, beep, mplayer (and others)
>
> Excellent cheers for those, very interested to see how cinelerra, main
> actor and rosegarden compare to what i use currently.

Bear in mind I have never as much as downloaded rosegarden, cinelerra or
mainactor. YMMV.