[opensuse] Scary enough for Halloween...
This is an exerpt from an article I read at http://www.gnashdev.org/?q=node/62 It contains this and a lot more information: <quote> What if there was a type of cookie that could: * Stay on your computer for an unlimited amount of time * Store 100 kb of data by default, with an unlimited max * Couldn’t be deleted by your browser * Send previous visit information and history, by default, without your permission Okay… That’s a pretty scary cookie. As it is right now, the cookies we’re so deadly afraid of can store a maximum of 4 kb of information, are manage by your browser, and by default have reasonable defaults and restrictions. This type of cookie exists on 98% of global computers, across all operating systems. it’s the Adobe Flash Player. </quote> I always knew the Adobe player had some security issues but installed it anyhow on my system in order to play YouTube and other flash oriented sites. I had no idea that when I cleared 'cookies', so much was being left behind. I found 'flash cookies' from a bunch of places I know never had 'videos' and some I don't ever remember visiting. A partial list I found on my machine included: ~/.macromedia/Flash_Player/#SharedObjects/5TQ5UR76> ll total 36 drwxrwx--- 3 ricreig root 4096 2009-07-21 22:36 bankofamerica.com drwxrwx--- 3 ricreig root 4096 2009-09-02 10:49 cfl.brighthouse.com drwxrwx--- 2 ricreig root 4096 2009-08-20 10:22 login.yahoo.com drwxrwx--- 2 ricreig root 4096 2009-10-25 12:23 mail.google.com drwxrwx--- 3 ricreig root 4096 2009-07-21 22:36 static.howstuffworks.com drwxrwx--- 3 ricreig root 4096 2009-07-21 22:36 wunderground.com drwxrwx--- 2 ricreig root 4096 2009-09-01 20:33 www1.va.gov drwxrwx--- 2 ricreig root 4096 2009-10-19 20:42 www.paypal.com drwxrwx--- 2 ricreig root 4096 2009-09-19 09:17 www.weather.com ricreig@athelon:~/.macromedia/Flash_Player/#SharedObjects/5TQ5UR76> Most of these don't even have videos that I am aware of so they seem to be using the 'super cookie' feature of flash without having to show a video. I moved a bunch more to another directory for further exploration: /.macromedia/Flash_Player/#SharedObjects/crap> ll total 116 drwxrwx--- 2 ricreig root 4096 2009-08-20 10:22 bin.clearspring.com drwx------ 2 ricreig users 4096 2009-10-12 12:43 cdn.taboolasyndication.com drwxrwx--- 2 ricreig root 4096 2009-08-20 10:22 cdn.widgetserver.com drwxrwx--- 2 ricreig root 4096 2009-08-20 10:22 chatango.com drwxrwx--- 3 ricreig root 4096 2009-09-10 13:35 e.blip.tv drwxrwx--- 2 ricreig root 4096 2009-08-20 10:22 flash.quantserve.com drwxrwx--- 2 ricreig root 4096 2009-09-10 13:37 load.tubemogul.com drwxrwx--- 2 ricreig root 4096 2009-08-20 10:22 media.scanscout.com drwxrwx--- 2 ricreig root 4096 2009-08-20 10:22 msnbcmedia.msn.com drwxrwx--- 2 ricreig root 4096 2009-08-20 10:22 pub.widgetbox.com drwxrwx--- 2 ricreig root 4096 2009-08-20 10:22 pub.widgetserver.com drwxrwx--- 2 ricreig root 4096 2009-08-20 10:22 quantumcache.rr.com drwxrwx--- 2 ricreig root 4096 2009-08-20 10:22 quantumprofile.rr.com drwx------ 2 ricreig users 4096 2009-10-12 12:40 redir.adap.tv drwxrwx--- 2 ricreig root 4096 2009-08-20 10:22 serve.a-widget.com drwxrwx--- 2 ricreig root 4096 2009-08-20 10:22 s.mcstatic.com drwxrwx--- 3 ricreig root 4096 2009-07-21 22:36 ssl-images-amazon.com drwxrwx--- 3 ricreig root 4096 2009-07-21 22:36 static.twitter.com drwxrwx--- 2 ricreig root 4096 2009-08-20 10:22 swf.redlasso.com drwxrwx--- 2 ricreig root 4096 2009-10-31 23:32 s.ytimg.com drwxrwx--- 3 ricreig root 4096 2009-07-21 22:36 us.etrade.com drwx------ 2 ricreig users 4096 2009-09-26 23:35 us.mg4.mail.yahoo.com drwxrwx--- 3 ricreig root 4096 2009-08-20 10:22 video.google.com drwxrwx--- 3 ricreig root 4096 2009-07-21 22:36 vortex.accuweather.com drwxrwx--- 2 ricreig root 4096 2009-08-20 10:22 webmessenger.yahoo.com drwxrwx--- 2 ricreig root 4096 2009-08-20 10:22 www22.verizon.com drwxrwx--- 2 ricreig root 4096 2009-08-20 10:22 www.rr.com drwxrwx--- 2 ricreig root 4096 2009-08-20 10:22 www.youtube.com ricreig@athelon:~/.macromedia/Flash_Player/#SharedObjects/crap> Many of these I have never been to, don't know where they came from and some of them seem like tracker sites. In any event, Adobe Flash Macromedia is banned from my system because it puts things on it that I didn't authorize, want, or are being used against my wishes in ways I do not sanction. Still, there are YouTube, etc, sites that do have things I would like to see and I need a secure (as possible) flash player. What recommendations are given? Gnash? Any in the OSS repos any good? Again, this URL is a great starting place for information about this garbage and privacy invasion that is so well hidden, 95% of the people probably don't have a clue... http://www.gnashdev.org/?q=node/62 Richard -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 03 November 2009 02:54:35 Richard wrote:
Okay… That’s a pretty scary cookie. As it is right now, the cookies we’re so deadly afraid of
I'm not afraid of them. What exactly do you think a cookie can do?
can store a maximum of 4 kb of information,
What do you think will be stored there? For tracking purposes, all you need is an ID. Let's say 128 bits. The rest can be stored on their servers. Using hundreds of K on your machine may sound 'scary', but it adds absolutely nothing from a security standpoint, I consider it an annoyance, nothing more And looking at the files I have under .macromedia, it is clearly being used as a cache for data objects, and for stored settings. I don't see anything special there. Most of the files are plaintext anyway so you can see what is stored. As with regular cookies, I don't see what the big deal is. As long as a domain can't request cookies from other domains they can only ever track what you do on their site and not what you do anywhere else (including on sites where they supply advertisements), so what is the problem?
I found 'flash cookies' from a bunch of places I know never had 'videos'
Flash is much more than just videos. Almost all games I play online are flash, and just about all advertising these days seems to be flash. Can you point to any specific dangers with this (other than potentially running out of disk space, which is annoying enough but hardly a security issue)? Anders -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Monday 02 November 2009 09:30:27 pm Anders Johansson wrote:
On Tuesday 03 November 2009 02:54:35 Richard wrote:
Okay… That’s a pretty scary cookie. As it is right now, the cookies we’re so deadly afraid of
Can you point to any specific dangers with this (other than potentially running out of disk space, which is annoying enough but hardly a security issue)?
Anders
Anders... It seems obvious to me that you *didn't* read the article. Your 'ho-hum' attitude toward 'real' cookies is well founded, but, this and related articles show how the 'flookies' are being exchanged, unlike regular cookies and used. In my case, there is a hell of a lot more than my User ID and settings in the files that I can decipher, lordy knows what is in the big ones that I can't because I don't have my magic decoder ring. EVEN IF they are totally as innocent as a 'real' cookie, that they are being put on and used by people in ways that do invade privacy and do not give you a way to eliminate them (unless you can find where they are hidden and use system tools to do it). READ the article, form your own opinion, and it's your machine, do with it as you will, but I am not arguing the merits of 'flookies', only asking for viable alternatives to Adobe. Local shared objects were introduced in Flash Player 6, to allow websites and applications to remember things about a user between that user's visits. A local shared object, by itself, is just information tied to a particular website — it can't do anything to or with the data on your computer. A local shared object is exactly like a browser cookie, except that it can also store data that is more complex than simple text. Third-party cookies and third-party local shared objects are often used by advertisers to anonymously track the sites and ads you view for market research or to present more personalized ad experiences. http://www.adobe.com/products/flashplayer/articles/thirdpartylso/ from the horses mouth is where I got additional information. ComputerWorld magazine has a whole series of articles relating to this and other security issues in case you wish to do some real 'poo-pooing'. With over 6.5 Tb of local storage in my RAID file servers, I'm not particularly afraid of running out of space due to 'flookies', but I live by the adage, I'll give you a buck if you ask for it, but steal a penny and your ass is grass. Flookies are stealing more than pennies IMO. Richard -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 03 November 2009 03:58:21 Richard Creighton wrote:
In my case, there is a hell of a lot more than my User ID and settings in the files that I can decipher,
...such as?
A local shared object is exactly like a browser cookie, except that it can also store data that is more complex than simple text.
Here's the point I was trying to make: if 'they' really were looking to track you, storing the information on your hard drive would be so stupid as to defy belief. They can't run statistics or anything else with data stored on your machine. They would have to rely on you being online, and using one of their flash programs when they want to do anything. So, the information needs (as in absolutely must) be on their machines in order for them to do anything sensible with it. Now, assume a nefarious ad agency wanted to do this and had found a way of tracking you. What would make more sense, given the above? a) leaving the information on your hard drive, or b) uploading the info to their own server, leaving only an identifier on your machine? People wanting to track you gain exactly nothing by storing things on your machine, they only lose.
READ the article
I did, and I still see nothing that the larger file storage could do to me that a simple user ID couldn't. And the tracking still means that they keep track of the web sites from which you loaded their ad - install an ad blocking plugin in firefox, and your problem is solved. No ads, no tracking Anders -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Monday 02 November 2009 10:16:33 pm Anders Johansson wrote:
On Tuesday 03 November 2009 03:58:21 Richard Creighton wrote:
In my case, there is a hell of a lot more than my User ID and settings in the files that I can decipher,
READ the article
I did, and I still see nothing that the larger file storage could do to me that a simple user ID couldn't. And the tracking still means that they keep track of the web sites from which you loaded their ad - install an ad blocking plugin in firefox, and your problem is solved. No ads, no tracking
Anders
Anders, I do and instantly if not sooner install ad blockers such as Ad Block Plus, which does a great job of blocking unwanted ads. However, these 3rd party LOS files (*.sol) are NOT required to be embedded in a viewable FLASH file. Many are executed without the knowledge or permission of the owner of the machine and as they are able to open and gather data stored in other LOS files on your system, over a period of time, a huge amount of information is accumulated and distributable to anyone who knows they are there. Advertising firms have 'stables' of clients that want and share this information, one 'flookie' at a time, accumulating into a 'mega flookie' maintained not on the server but on your own computer in a cookie the server can retrieve anytime it wishes simply by your visiting *any* of the cooperating sites. ...and IF a simple user ID was sufficient, why the need for 100K - 1M and more in the 'flookies'? It is hard to block what I don't know exists and it is even harder to erase it if I can't find it because it is well hidden. Also, some servers will maintain a copy of the 'flookie' on their site, add to it when other information is gathered from whatever source, and even if you erase your copy, they can and do 'regenerate' the data on your machine the next time you visit a cooperating site. They are not *supposed* to be executable, but there is nothing to prevent executable code from being uploaded to your machine, stored in a 'flookie' and with the cooperation of a reader like Adobe, launch the code. No, it isn't supposed to happen, but neither are worms and viruses supposed to happen. Giving hackers a way to infiltrate your machine, unimpeded and unquestioned is giving them the keys to the machine. It is inevitable that one will use it to start their destructo mechanisms. bin.clearspring.com is one of the big ad data collection sites....I never ever went there for any reason, yet the biggest file on my machine has their name on it as the 'owning domain'. To the best of my knowledge, ABP blocks that site directly...so how did it get there? It got there because of the code in Adobe doing what a 'flash' snippet said to do, even if it was invisible and not part of a regular flash presentation. If you have Adobe Flash, go visit Whitehouse.Gov....then check your ~/.macromedia and see if you didn't get a little present. I did.... Got a few from my bank(s) too. Now, again, my question isn't whether or not 'flookies' are good or safe or valuable or desirable or whatever, I am asking for an alternative to ADOBE versions which are closed source and can and probably do have code in them that could be used to exploit machine and because it is closed source, no one would be the wiser. OPEN SOURCE code at least gives us a fighting chance to discover and eliminate code that improperly uses our computer system resources. If you wish your computer resources to be used to the benefit of advertisers or government agencies, or whomever, then be my guest, I don't and Adobe is handing out keys IMO to anyone that wants to hack into almost 98% of the installed desktop computer base, Windoze and Linux alike. I am only asking what OPEN SOURCE alternatives exist that allow the positive aspects of Flash to be used without opening the door to the trojans, worms, spyware, and data mining of personal information to occur without control. Richard -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hi, not sure and not tested by myself but doesn't Flash allow to control the storage? http://kb2.adobe.com/cps/526/52697ee8.html Wolfgang -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 03 November 2009 08.16:20, Wolfgang Rosenauer wrote:
Hi,
not sure and not tested by myself but doesn't Flash allow to control the storage?
http://kb2.adobe.com/cps/526/52697ee8.html
Wolfgang
Thanks Wolfgang for this informative link! It seems to be really easy to set the privacy things according to ones wishes. (Just have to allow a pop-up to get the "global settings" window. ) Daniel -- Daniel Bauer photographer Basel Barcelona professional photography: http://www.daniel-bauer.com erotic art photos: http://www.bauer-nudes.com Madagascar special: http://www.fotograf-basel.ch/madagascar/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 03 November 2009 02:16:20 am Wolfgang Rosenauer wrote:
Hi,
not sure and not tested by myself but doesn't Flash allow to control the storage?
http://kb2.adobe.com/cps/526/52697ee8.html
Wolfgang
It isn't the ones I *know* about, it is the ones that sneak in uninvited. There doesn't seem to be a good way to keep out the uninvited 'stealth' flookies. I *thought* I had told Adobe Flash to NOT store any of that stuff on my system. Come to find out, the ones I *really* didn't want on my system were the very ones that infested my system. The solution for me, at least, is to eliminate Adobe Flash until and unless there is a uniform way to control it, like 'real' cookies. "Real" cookies can be fine tuned quite well as to who, and when and for how long cookies will be accepted. And, this is easily verifiable. Not so with 'flookies'. Not with closed-source software where there is no way to verify what the code being run does. Flash is a good idea, but as implemented, leaves much to be desired, especially in the arena of system security and user control. Richard -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 03 November 2009 08:15:30 Richard Creighton wrote:
On Tuesday 03 November 2009 02:16:20 am Wolfgang Rosenauer wrote:
Hi,
not sure and not tested by myself but doesn't Flash allow to control the storage?
http://kb2.adobe.com/cps/526/52697ee8.html
Wolfgang
It isn't the ones I *know* about, it is the ones that sneak in uninvited. There doesn't seem to be a good way to keep out the uninvited 'stealth' flookies. I *thought* I had told Adobe Flash to NOT store any of that stuff on my system. Come to find out, the ones I *really* didn't want on my system were the very ones that infested my system. The solution for me, at least, is to eliminate Adobe Flash until and unless there is a uniform way to control it, like 'real' cookies. "Real" cookies can be fine tuned quite well as to who, and when and for how long cookies will be accepted. And, this is easily verifiable. Not so with 'flookies'. Not with closed-source software where there is no way to verify what the code being run does. Flash is a good idea, but as implemented, leaves much to be desired, especially in the arena of system security and user control. Richard
Take a look at the NoScript plugin for Firefox. It allows you to control which scripts can run and which can't, including Flash content. Bob -- Registered Linux User #463880 FSFE Member #1300 GPG-FP: A6C1 457C 6DBA B13E 5524 F703 D12A FB79 926B 994E openSUSE 11.1, Kernel 2.6.27.37-0.1-default, KDE 4.3 Intel Core2 Quad Q9400 2.66GHz, 4GB DDR RAM, nVidia GeForce 9200GS -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Monday 02 November 2009 21:59:49 Richard Creighton wrote:
Many are executed without the knowledge or permission of the owner of the machine and as they are able to open and gather data stored in other LOS files on your system, over a period of time, a huge amount of information is accumulated and distributable to anyone who knows they are there.
Update to Flash 8 or later (openSUSE is using 10), and configure it not to store anything, if you have problem with that. I don't, but as experiment I disabled them, to see how it will influence my web experience. I expect more of normal browser cookies, when flash one fails, and a bit slower start up of flash animations. Here is the link to setup: http://kb2.adobe.com/support/documentation/en/flashplayer/help/settings_mana... Rob's blog is dated 2008-10-16, so he should know about Flash 8 and later, and also about Setup page, specially as Gnash insider. Listing problems, but forgetting to mention Flash setup page where you can disable use of tracking is serious omission. Article appears like plain propaganda, and I can't trust more the one that is using the same methods as those that he is trying to discredit. Besides I'm not sure that term third party is used correctly. For Adobe the third party is third party vendor; anyone that is not Adobe. When we talk about browser cookies the third party is considered web site that is not in the same domain as the one that set up original cookie. To clear up question, does domain1.com can read domain2.com files, one has to create flash cookie with no restrictions who can use it, if it is possible, and let domain1 server set it, then try to read that one from domain2. If it is possible than that is a serious bug, if not then it is not different from browser cookies. -- Regards, Rajko -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Monday 02 November 2009 07:54:35 pm Richard wrote:
This is an exerpt from an article I read at http://www.gnashdev.org/?q=node/62
It contains this and a lot more information:
<quote> What if there was a type of cookie that could:
* Stay on your computer for an unlimited amount of time * Store 100 kb of data by default, with an unlimited max * Couldn’t be deleted by your browser * Send previous visit information and history, by default, without your permission
Great post Richard. It always left you wondering what was going on when Acrobat kept 100% of your CPU well after the time you closed Firefox (yes, I know it is a bug) -- but still?? You have to wonder just how many more of these glamor tools actually do quite a bit more that you are aware they are. That's why I'm glad we have so many hardware/network guys on the list that just love to sit around playing with lsof and netstat for hours on end ;p The damning part of it, even on linux, Firefox and other browsers (Opera as well) pop up pages telling you to "Upgrade to the latest version of Flash", "Download it here _link_to_adobe_site_" It sounds like we all may have been agreeing to alot more that met the eye in those license agreements. Damn lawyers... -- David C. Rankin, J.D.,P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Mon, 2009-11-02 at 22:51 -0600, David C. Rankin wrote:
On Monday 02 November 2009 07:54:35 pm Richard wrote:
This is an exerpt from an article I read at http://www.gnashdev.org/?q=node/62
It contains this and a lot more information:
<quote> What if there was a type of cookie that could:
* Stay on your computer for an unlimited amount of time * Store 100 kb of data by default, with an unlimited max * Couldn’t be deleted by your browser * Send previous visit information and history, by default, without your permission
Great post Richard. It always left you wondering what was going on when Acrobat kept 100% of your CPU well after the time you closed Firefox (yes, I know it is a bug) -- but still??
You might want to run tcpdump, when opening some pdf's with acrobat...
You have to wonder just how many more of these glamor tools actually do quite a bit more that you are aware they are. That's why I'm glad we have so many hardware/network guys on the list that just love to sit around playing with lsof and netstat for hours on end ;p
The damning part of it, even on linux, Firefox and other browsers (Opera as well) pop up pages telling you to "Upgrade to the latest version of Flash", "Download it here _link_to_adobe_site_"
It sounds like we all may have been agreeing to alot more that met the eye in those license agreements. Damn lawyers...
You mean those lines in font-size-1, foregound colour white, i which you agree to sell your soul? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
David C. Rankin wrote:
On Monday 02 November 2009 07:54:35 pm Richard wrote:
This is an exerpt from an article I read at http://www.gnashdev.org/?q=node/62
It contains this and a lot more information:
<quote> What if there was a type of cookie that could:
* Stay on your computer for an unlimited amount of time * Store 100 kb of data by default, with an unlimited max * Couldn’t be deleted by your browser * Send previous visit information and history, by default, without your permission
Great post Richard. It always left you wondering what was going on when Acrobat kept 100% of your CPU well after the time you closed Firefox (yes, I know it is a bug) -- but still??
You have to wonder just how many more of these glamor tools actually do quite a bit more that you are aware they are. That's why I'm glad we have so many hardware/network guys on the list that just love to sit around playing with lsof and netstat for hours on end ;p
The damning part of it, even on linux, Firefox and other browsers (Opera as well) pop up pages telling you to "Upgrade to the latest version of Flash", "Download it here _link_to_adobe_site_"
It sounds like we all may have been agreeing to alot more that met the eye in those license agreements. Damn lawyers...
Dave that's the pot calling the kettle black ain't it :-) -- Hans Krueger hanskrueger007@roadrunner.com registered Linux user 289023 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 03/11/09 12:54, Richard wrote:
This is an exerpt from an article I read at http://www.gnashdev.org/?q=node/62
It contains this and a lot more information:
<quote> What if there was a type of cookie that could:
[pruned]
I found 'flash cookies' from a bunch of places I know never had 'videos' and some I don't ever remember visiting. A partial list I found on my machine included: ~/.macromedia/Flash_Player/#SharedObjects/5TQ5UR76> ll total 36 drwxrwx--- 3 ricreig root 4096 2009-07-21 22:36 bankofamerica.com drwxrwx--- 3 ricreig root 4096 2009-09-02 10:49 cfl.brighthouse.com drwxrwx--- 2 ricreig root 4096 2009-08-20 10:22 login.yahoo.com drwxrwx--- 2 ricreig root 4096 2009-10-25 12:23 mail.google.com drwxrwx--- 3 ricreig root 4096 2009-07-21 22:36 static.howstuffworks.com drwxrwx--- 3 ricreig root 4096 2009-07-21 22:36 wunderground.com drwxrwx--- 2 ricreig root 4096 2009-09-01 20:33 www1.va.gov drwxrwx--- 2 ricreig root 4096 2009-10-19 20:42 www.paypal.com drwxrwx--- 2 ricreig root 4096 2009-09-19 09:17 www.weather.com ricreig@athelon:~/.macromedia/Flash_Player/#SharedObjects/5TQ5UR76>
[pruned]
Still, there are YouTube, etc, sites that do have things I would like to see and I need a secure (as possible) flash player. What recommendations are given? Gnash? Any in the OSS repos any good?
Again, this URL is a great starting place for information about this garbage and privacy invasion that is so well hidden, 95% of the people probably don't have a clue...
http://www.gnashdev.org/?q=node/62
Richard
Firstly, you should be running Firefox. Secondly, in Firefox install the following Extensions: * Adblock * Flashblock * NoScript * Perspectives. Read carefully what they are about when you are configuring these extensions and configure to suit your needs. The above is your first line of defence. Thirdly, and this is the "clincher, as root REMOVE 'write' and 'execute' privileges for ~/.macromedia. If you want to be absolutely paranoid then also alter the OWNER and GROUP to ROOT. Flash won't be able to write to this directory. BC -- Never run yourself down - let other people do it for you. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Monday 02 November 2009 23:53:14 Basil Chupin wrote:
Firstly, you should be running Firefox.
Secondly, in Firefox install the following Extensions:
* Adblock
* Flashblock
* NoScript
* Perspectives.
No trust in Adobe, but trust in 4 other vendors? :)
Read carefully what they are about when you are configuring these extensions and configure to suit your needs.
If we would read carefully what is Flash on Adobe web site then this whole thread would not exist, at least the parts about Adobe allowing hideous, not documented, not warranted files on our computers, but we don't.
as root REMOVE 'write' and 'execute' privileges for ~/.macromedia
While "as root" sounds like a serious business, files are still in user possession (tilde in ~/.macromedia, tells me that it is in user directory) and Flash can change permissions, as it is run by the user. -- Regards, Rajko -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 04/11/09 20:57, Rajko M. wrote:
On Monday 02 November 2009 23:53:14 Basil Chupin wrote:
Firstly, you should be running Firefox.
Secondly, in Firefox install the following Extensions:
* Adblock
* Flashblock
* NoScript
* Perspectives.
No trust in Adobe, but trust in 4 other vendors? :)
Individuals have been writing the extensions/themes for Mozilla Firefox for some years now. Mozilla is put out as opensource. How many "vendors" write applications for openSUSE which are included in openSUSE without qualifications as part of the "Build Service" and for which Novell takes no responsibility?
Read carefully what they are about when you are configuring these extensions and configure to suit your needs.
If we would read carefully what is Flash on Adobe web site then this whole thread would not exist, at least the parts about Adobe allowing hideous, not documented, not warranted files on our computers, but we don't.
If... However, why don't those vendors simply disallow such "hideous....not warranted files.." in the first instance? Why code their applications to allow this and then leave the users to work out how to protect themselves from these "backdoors" [my term, by way of a quick description]?
as root REMOVE 'write' and 'execute' privileges for ~/.macromedia
While "as root" sounds like a serious business, files are still in user possession (tilde in ~/.macromedia, tells me that it is in user directory) and Flash can change permissions, as it is run by the user.
Ce? While the user has possession of the .macromedia directory Flash cannot write to this directory. I've tried this out last night on several sites. Perhaps it is because I am using Firefox and have the above mentioned extensions installed? Or is it perhaps that the security in Linux does not allow any permissions to be altered by a user but only by root? BC -- Never run yourself down - let other people do it for you. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 03 November 2009 23:07:18 Basil Chupin wrote:
On 04/11/09 20:57, Rajko M. wrote: ... However, why don't those vendors simply disallow such "hideous....not warranted files.." in the first instance?
Because the end users of Flash are not the only users that Adobe has to please. Taking how much we pay for Flash Player, there will be none if the other part of Adobe users will not pay, and they will not if some part that they find usable is disabled by default.
Why code their applications to allow this and then leave the users to work out how to protect themselves from these "backdoors" [my term, by way of a quick description]?
Internet provides no privacy. Fire on particular vendor for allowing some kind of cookies, while tens of other services, including your ISP, know a lot more about you and your habits, is IMNSHO, plain unjust.
as root REMOVE 'write' and 'execute' privileges for ~/.macromedia
While "as root" sounds like a serious business, files are still in user possession (tilde in ~/.macromedia, tells me that it is in user directory) and Flash can change permissions, as it is run by the user.
Ce?
While the user has possession of the .macromedia directory Flash cannot write to this directory. I've tried this out last night on several sites.
Perhaps it is because I am using Firefox and have the above mentioned extensions installed?
Probably no, if you see flash running. Although, some programs will not attempt to change them. I can imagine that program designed for windows will lack part that will check and fix (repair) permissions.
Or is it perhaps that the security in Linux does not allow any permissions to be altered by a user but only by root?
Hmm, no. Read, write, execute I can change on files that *belong* to me, but I can't change owner.
BC
-- Regards, Rajko OpenSUSE Wiki Team: http://en.opensuse.org/Wiki_Team People of openSUSE: http://en.opensuse.org/People_of_openSUSE/About -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 04/11/09 22:33, Rajko M. wrote: So, you wishet to joust, Sire?! Have your Groom contact my Groom to arrange the details! :-) :-)
On Tuesday 03 November 2009 23:07:18 Basil Chupin wrote:
On 04/11/09 20:57, Rajko M. wrote:
...
However, why don't those vendors simply disallow such "hideous....not warranted files.." in the first instance?
Because the end users of Flash are not the only users that Adobe has to please. Taking how much we pay for Flash Player, there will be none if the other part of Adobe users will not pay, and they will not if some part that they find usable is disabled by default.
Not really interested in how much we or may not pay for Flash. In the context of the current exchange of messages, the question still has to be answered as to why applications are written to have "backdoors", and similar, and not have these made transparent to the end user. The OP did ask, and he made a point of it in a later post (but so far has not received a response), that he wanted to know the alternatives to Flash.
Why code their applications to allow this and then leave the users to work out how to protect themselves from these "backdoors" [my term, by way of a quick description]?
Internet provides no privacy. Fire on particular vendor for allowing some kind of cookies, while tens of other services, including your ISP, know a lot more about you and your habits, is IMNSHO, plain unjust.
While I accept this I also state that it is only a side issue to the above discussion. Your ISP, the American NSA (thru Echelon), the Amercian Record industry and the American Film Industry monitor bit-torrent traffic (see the court action currently under way against my ISP, iinet, here in Australia), the security organisations of almost every country know what you are transmitting over the telephone and Internet; the "spy organisation" in my own country can monitor from a van, parked more than 200 metres away from my home, every character written to my monitor screen. You can encrypt your messages, or your HD, - but you are required to provide the encryption algorithm to the "authorities" on request if they suspect that you are up to some "hanky-panky"! But this is not the point, is it?
as root REMOVE 'write' and 'execute' privileges for ~/.macromedia
While "as root" sounds like a serious business, files are still in user possession (tilde in ~/.macromedia, tells me that it is in user directory) and Flash can change permissions, as it is run by the user.
Ce?
While the user has possession of the .macromedia directory Flash cannot write to this directory. I've tried this out last night on several sites.
Perhaps it is because I am using Firefox and have the above mentioned extensions installed?
Probably no, if you see flash running. Although, some programs will not attempt to change them. I can imagine that program designed for windows will lack part that will check and fix (repair) permissions.
Or is it perhaps that the security in Linux does not allow any permissions to be altered by a user but only by root?
Hmm, no. Read, write, execute I can change on files that *belong* to me, but I can't change owner.
Most interesting! Thank you, Rajko, for pointing this out So, the security in Linux is NOT what, for many years, I have believed it to be. I, and thousands of others, have been duped for all this time. However, does the ability to alter the permissions to read, write, execute of something which *I* "own" (but the ownership of which I cannot change) mean that any alteration can also have a flow-on to system files/applications outside my /home directory? BC -- Never run yourself down - let other people do it for you. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wednesday 04 November 2009 03:30:42 Basil Chupin wrote:
Read, write, execute I can change on files that belong to me, but I can't change owner.
Most interesting!
Thank you, Rajko, for pointing this out
So, the security in Linux is NOT what, for many years, I have believed it to be.
I, and thousands of others, have been duped for all this time.
Not really. You have to understand file ownership and access permissions to be able to use it to protect your privacy, and in example above you missed that any application, including console, file manager, can do whatever you can do. That was repeated time and again. That is the reason why browsing the Internet from the same account you use to work on private data doesn't provide any real privacy. If you really want to have private data then create another user account, fix permissions so that no one except you can even see private directories, which means user rwx, group ---, other --- . which is 700 in octal numbers, and never access Internet, or use network enabled applications with that account. Not to forget set /tmp and few other places that contain traces of that account activity to be cleaned up after you log out, and you have privacy.
However, does the ability to alter the permissions to read, write, execute of something which I "own" (but the ownership of which I cannot change) mean that any alteration can also have a flow-on to system files/applications outside my /home directory?
Flow-on I guess means influence, and then the answer is no, with exception of places like /tmp and /var, and in that places only files that belong to account that created them. It is actually not that simple, some applications create temp files that anybody read, so cleanup on logout is the only way to close possibility that information leaks. By default root is owner of almost any file on your system and changing access permissions in, for instance, ~/.macromedia influenced only Flash activity in your home, but that only because Flash: 1) is not designed as spyware 2) probably knows how to create that directory if it is missing, but it doesn't know how to repair permissions. It is just missing functionality in Flash, not real inability to do whatever you can do, including to revert your changes on ~/.macromedia, read, write end execute any and all files that belong to account that is running Flash. Ditto advice to restrict any activity in account with private data to minimum that is necessary to work on them. If you like to listen music when you work on your memoirs then use some CD/DVD player that is not in that computer. -- Regards, Rajko OpenSUSE Wiki Team: http://en.opensuse.org/Wiki_Team People of openSUSE: http://en.opensuse.org/People_of_openSUSE/About -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 05/11/09 12:48, Rajko M. wrote:
On Wednesday 04 November 2009 03:30:42 Basil Chupin wrote:
Read, write, execute I can change on files that belong to me, but I can't change owner.
Most interesting!
Thank you, Rajko, for pointing this out
So, the security in Linux is NOT what, for many years, I have believed it to be.
I, and thousands of others, have been duped for all this time.
Not really. You have to understand file ownership and access permissions to be able to use it to protect your privacy, and in example above you missed that any application, including console, file manager, can do whatever you can do. That was repeated time and again.
That is the reason why browsing the Internet from the same account you use to work on private data doesn't provide any real privacy.
If you really want to have private data then create another user account, fix permissions so that no one except you can even see private directories, which means user rwx, group ---, other --- . which is 700 in octal numbers, and never access Internet, or use network enabled applications with that account. Not to forget set /tmp and few other places that contain traces of that account activity to be cleaned up after you log out, and you have privacy.
[pruned] Thanks, Rajko, for spelling all this out. Much food for thought here. I'll be re-reading all this very carefully in the coming days. Thanks again. BC -- The chief cause of problems is solutions. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wednesday 04 November 2009 10:30:42 Basil Chupin wrote:
So, the security in Linux is NOT what, for many years, I have believed it to be.
I, and thousands of others, have been duped for all this time.
huh? Every linux user knows that when he downloads an executable program, he has to do "chmod u+x" on it before he can execute it. At no point in this advice is it said they have to su to root first. In file managers, the interface allows you to change permissions on files to your heart's content. So if by "duped" you mean "told repeatedly, on mailing lists and in documentation", then yes, you have been duped Anders -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 05/11/09 13:39, Anders Johansson wrote:
On Wednesday 04 November 2009 10:30:42 Basil Chupin wrote:
So, the security in Linux is NOT what, for many years, I have believed it to be.
I, and thousands of others, have been duped for all this time.
huh? Every linux user knows that when he downloads an executable program, he has to do "chmod u+x" on it before he can execute it.
Until just now, I have never been told to do this :-) .
At no point in this advice is it said they have to su to root first. In file managers, the interface allows you to change permissions on files to your heart's content.
Ce? "To [one's] heart's content"? Surely you mean if you are the owner of the file. I know that Dolphin allows you to alter the permissions (using Advance Permissions) even on files owned by root -- but this is only a delusion because the changes are not implemented.
So if by "duped" you mean "told repeatedly, on mailing lists and in documentation", then yes, you have been duped
So basically you are saying that when I was told, and I have told many other people same, that Linux was secure and unhackable, unlike our "friend", that Linux is just as vulnerable to all sorts of hank-panky if someone sat down and tried to exploit the sort of vulnerabilities mentioned here? OK, I know about the method of wiping out the root's existing password and creating a new password and therefore be able to access all the system but this is not what we are talking about here, are we? The bottom line, then, is that what the OP raised about Adobe Flash is an exploitable feature in Linux, right? BC -- The chief cause of problems is solutions. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thursday 05 November 2009 04:44:06 Basil Chupin wrote:
huh? Every linux user knows that when he downloads an executable program, he has to do "chmod u+x" on it before he can execute it.
Until just now, I have never been told to do this :-) .
I'm starting to wonder if you're having a laugh
At no point in this advice is it said they have to su to root first. In file managers, the interface allows you to change permissions on files to your heart's content.
Ce? "To [one's] heart's content"? Surely you mean if you are the owner of the file.
well, yes
So basically you are saying that when I was told, and I have told many other people same, that Linux was secure and unhackable,
There is no such thing as "unhackable". Linux is more secure, but dangers lurk everywhere
unlike our "friend", that Linux is just as vulnerable to all sorts of hank-panky if someone sat down and tried to exploit the sort of vulnerabilities mentioned here?
I haven't seen any mention of vulnerabilities in this thread But what you're talking about now, about file permissions, is just silly. You have been on this list for a very long time, I refuse to believe that you don't know this. chmod is one of the most basic tools there are, you *must* have worked with it Anyway, the point is that anything you can do can be done by programs executed by you. To some extent you can limit it using tools such as AppArmor, but basically, programs executed by you *are* you, as far as the kernel is concerned
The bottom line, then, is that what the OP raised about Adobe Flash is an exploitable feature in Linux, right?
The OP complained that flash stored cookies and cached objects. I didn't see any mention of any exploit or security issue. Anders -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 05/11/09 15:46, Anders Johansson wrote:
On Thursday 05 November 2009 04:44:06 Basil Chupin wrote:
huh? Every linux user knows that when he downloads an executable program, he has to do "chmod u+x" on it before he can execute it.
Until just now, I have never been told to do this :-) .
I'm starting to wonder if you're having a laugh
No, Anders, I am not "having a laugh". I have no desire nor wish to argue with you, or anyone, for whatever reason.
At no point in this advice is it said they have to su to root first. In file managers, the interface allows you to change permissions on files to your heart's content.
Ce? "To [one's] heart's content"? Surely you mean if you are the owner of the file.
well, yes
Fine. At least this one is now made clear.
So basically you are saying that when I was told, and I have told many other people same, that Linux was secure and unhackable,
There is no such thing as "unhackable". Linux is more secure, but dangers lurk everywhere
unlike our "friend", that Linux is just as vulnerable to all sorts of hank-panky if someone sat down and tried to exploit the sort of vulnerabilities mentioned here?
I haven't seen any mention of vulnerabilities in this thread
See below.
But what you're talking about now, about file permissions, is just silly. You have been on this list for a very long time, I refuse to believe that you don't know this. chmod is one of the most basic tools there are, you *must* have worked with it
Yes, I have used both CHMOD and CHOWN as *root* to 'globally' alter the settings for directories under certain instances.
Anyway, the point is that anything you can do can be done by programs executed by you. To some extent you can limit it using tools such as AppArmor, but basically, programs executed by you *are* you, as far as the kernel is concerned
The bottom line, then, is that what the OP raised about Adobe Flash is an exploitable feature in Linux, right?
The OP complained that flash stored cookies and cached objects. I didn't see any mention of any exploit or security issue.
Anders
OK, let's have a look at what the OP (Richard stated in a post a while back) and to which you did not provide a response either accepting or negating his statement: QUOTE They are not *supposed* to be executable, but there is nothing to prevent executable code from being uploaded to your machine, stored in a 'flookie' and with the cooperation of a reader like Adobe, launch the code. No, it isn't supposed to happen, but neither are worms and viruses supposed to happen. Giving hackers a way to infiltrate your machine, unimpeded and unquestioned is giving them the keys to the machine. It is inevitable that one will use it to start their destructo mechanisms. UNQUOTE The thought in my mind, then, is, "Does a vulnerability in Linux exist?". A straightforward question, and from what Rajko mentioned, in his last post here, has only added to my concern about this matter. A simple concern, requiring a simple answer and without any comments about how long I have been on this mail list, et alia and et alia. BC -- The chief cause of problems is solutions. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thursday 05 November 2009 06:56:54 Basil Chupin wrote:
The thought in my mind, then, is, "Does a vulnerability in Linux exist?".
A straightforward question, and from what Rajko mentioned, in his last post here, has only added to my concern about this matter.
The straight-forward response is no, this does not in any way imply a vulnerability in linux. There may or may not be bugs in flash that would allow things like that to happen, but so far I haven't heard of any. The point is that if there is a bug in a piece of software, there will also be a way to exploit it, and this ranting about cookies and caches is a complete red herring. Virtually no servers that have exploits allow data to be uploaded, and yet through exploited bugs code can be, and then executed. If there is a bug present, hackers rarely need any help to get their code onto your machine.. Besides which, flash in itself already means you are executing code on your machine, whether it is the adobe/macromedia player, or gnash, or something else. It runs in a sandbox as with all other virtual machines that execute code, such as java, dotnet or PDF/postscript (yes, that is also code that gets executed), so if there is a bug that would allow malicious behaviour, the lack of a local cache will not help you in any way Anders -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, 2009-11-05 at 07:11 +0100, Anders Johansson wrote:
On Thursday 05 November 2009 06:56:54 Basil Chupin wrote:
The thought in my mind, then, is, "Does a vulnerability in Linux exist?".
A straightforward question, and from what Rajko mentioned, in his last post here, has only added to my concern about this matter.
The straight-forward response is no, this does not in any way imply a vulnerability in linux. There may or may not be bugs in flash that would allow things like that to happen, but so far I haven't heard of any.
The point is that if there is a bug in a piece of software, there will also be a way to exploit it, and this ranting about cookies and caches is a complete red herring. Virtually no servers that have exploits allow data to be uploaded, and yet through exploited bugs code can be, and then executed. If there is a bug present, hackers rarely need any help to get their code onto your machine..
Besides which, flash in itself already means you are executing code on your machine, whether it is the adobe/macromedia player, or gnash, or something else. It runs in a sandbox as with all other virtual machines that execute code, such as java, dotnet or PDF/postscript (yes, that is also code that gets executed), so if there is a bug that would allow malicious behaviour, the lack of a local cache will not help you in any way
Anders
What rock have you been living under? The original points are completely valid. The problem exists in all closed source software and is a problem in many ways besides security or privacy concerns, it's a plain, perpetual technical problem too. Witness the perpetual problems with video drivers just for one of many examples. I have several others particular to me since my company must use several commercial apps that run on linux, which our ASP business lives on top of, which in turn all our customers businesses live on top of since our app is central to their businesses. Each of these apps has various problems which I must simply suffer with and work around and apologize to the users about. Actually fixing them is not within my power. If the code were available to me yes in fact I COULD either fix them, or at least diagnose them completely and devise a palliative that is actually reliable, or present my findings to some hired gun better coder than me to address. Several of my most pain in the neck problems I know would actually be such trivial changes I could do them myself in 10 minutes. I'm not even relying on the magic of "someone would fix it sooner or later". But that is not an invalid statement at all even if I were relying on that. It's demonstrable many times over in countless pieces of software by now. It's an established and proven fact of history. Not an empty wish that has no weight as an argument. The fact that most individuals do not have the time (even if they had the interest and the ability) to become hackers in their own right, software developer and kernel hacker gurus such that they are actually more powerful than all other hackers, just so that they can personally and completely audit every line of code that executes on their machine IN NO WAY invalidates the difference in quality and safety between ANY closed source binary and ANY open source program. The difference between available and not-available, visible and not-visible, possible and not-possible, is all the difference in the world. It's a demonstrated thing already and far beyond any shred of a doubt or question. It's a no-brainer. If you don't know the answer to his ACTUAL QUESTION, which wasn't "Is Adobe flash plugin harmful?" it was "What if any open source alternatives to Adobe Flash plugin are there?", then either say that, or better yet say nothing. -- bkw -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thursday 05 November 2009 11:52:52 Brian K. White wrote:
What rock have you been living under?
The one where you learn how to read. I did not in any way talk about the differences between open source and closed source, don't try to make my statements out to be some sort of defence of closed source, because all that means is you haven't read what I wrote. All I said was that if there is a bug in the flash software, the presence or absence of the cache is completely irrelevant. The OP seemed to have some sort of voodoo idea of security which needed to be set straight Anders -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, 2009-11-05 at 17:33 +0100, Anders Johansson wrote:
On Thursday 05 November 2009 11:52:52 Brian K. White wrote:
What rock have you been living under?
The one where you learn how to read.
I did not in any way talk about the differences between open source and closed source, don't try to make my statements out to be some sort of defence of closed source, because all that means is you haven't read what I wrote.
Your arguments hinge on there being essentially no difference between the two, that any problems would exist equally in each, be equally dangerous or not, be equally fixable or not, be equally likely to be fixed or not, on the same time scale. Which is a ridiculous thing to say.
All I said was that if there is a bug in the flash software, the presence or absence of the cache is completely irrelevant.
That's a pretty amazing statement. How do you figure? The OP's point was that, you cannot know what the magic black box is doing with that cache, and, that that cache can do things that an ordinary cookie can not. It's pretty hard to store a binary executable in 4k plain text cookies. And it's pretty hard to get any open source browser to do such a thing as download and execute a binary without the user knowing. But 100k up to unlimited blob of binary data, solely managed and used by a black box you can't see inside of? This is all the difference in the world. The two things are in no way equivalent. Yes the binary can only do things that the user can do, but, that is rather a lot. The user can read all of his own files and can access the internet. How is that not a dangerous combination of things to put in the hands of an unauditable binary? Especially as in this case, where the binaries actions are not really all the responsibility of the author, or the end user, but unknown outsiders who can put things on web sites that can make use of the flash plugin. Yes there are ways to inspect and sandbox and block a black box mystery binary but it's impractical to take those measures for every binary on your system, so you do have to have some reason for your suspicion to be alerted that a binary warrants scrutiny. The things they described about what the flash plugin could do, and further, what it has been observed actually doing, are just exactly that flag. I don't see what is invalid about the original post that raised the issue. It's exactly the correct and normal procedure. You start out assuming the proprietary binary author is above board and so you trust them and use their binary until you have some reason to suspect things might not be cool. The reason to suspect has come along, and the response was entirely appropriate. -- bkw -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Brian K. White pecked at the keyboard and wrote:
On Thu, 2009-11-05 at 17:33 +0100, Anders Johansson wrote:
On Thursday 05 November 2009 11:52:52 Brian K. White wrote:
What rock have you been living under? The one where you learn how to read.
I did not in any way talk about the differences between open source and closed source, don't try to make my statements out to be some sort of defence of closed source, because all that means is you haven't read what I wrote.
Your arguments hinge on there being essentially no difference between the two, that any problems would exist equally in each, be equally dangerous or not, be equally fixable or not, be equally likely to be fixed or not, on the same time scale. Which is a ridiculous thing to say.
The sky is falling, the sky is falling! The only safe computer is the one that is turned off and locked away in a bank type vault. Can we please end this pissing match and move on? -- Ken Schneider SuSe since Version 5.2, June 1998 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thursday November 5 2009, Ken Schneider - openSUSE wrote:
...
The only safe computer is the one that is turned off and locked away in a bank type vault. ...
And not stored on a high shelf.
-- Ken Schneider
RRS -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, 2009-11-05 at 14:22 -0500, Ken Schneider - openSUSE wrote:
Brian K. White pecked at the keyboard and wrote:
On Thu, 2009-11-05 at 17:33 +0100, Anders Johansson wrote:
On Thursday 05 November 2009 11:52:52 Brian K. White wrote:
What rock have you been living under? The one where you learn how to read.
I did not in any way talk about the differences between open source and closed source, don't try to make my statements out to be some sort of defence of closed source, because all that means is you haven't read what I wrote.
Your arguments hinge on there being essentially no difference between the two, that any problems would exist equally in each, be equally dangerous or not, be equally fixable or not, be equally likely to be fixed or not, on the same time scale. Which is a ridiculous thing to say.
The sky is falling, the sky is falling!
The only safe computer is the one that is turned off and locked away in a bank type vault. Can we please end this pissing match and move on?
Oh gee, ludicrous exaggeration outside the bounds of all reality. That's a brilliant debate argument. Almost as good as name-calling. OK I'll play, "There is no such thing as security concerns. Let everyone and everything do whatever they want it's all probably fine, in fact, don't even bother looking." What did that nonsense accomplish, in either direction? You didn't say the grossly exaggerated garbage above any more than I said the grossly exaggerated garbage you did. The original points are valid. It's out of line and irresponsible for anyone to tell anyone else as advice: "ah, don't worry about that it's probably nothing" It's just never anyones place to say that to anyone else. It's like telling someone not to bother locking the door to their house while they're at work, because most neighborhoods are fine and if the crook wants in he's going to get in anyways and that silly doorknob lock really means nothing. Actually, in this case it's more like telling someone not to set any kind of password or wep or wpa key on their home wifi, and not to bother even looking if anyone has been using it or what they've been using it for. Probably no one has poked around and read things off your pc's, probably they aren't sniffing all the traffic and capturing passwords, probably they haven't used your net connection as a nice relay node to do things they wouldn't want traced back to themselves. And most of the time yes probably that's true. That's still a completely irresponsible thing to say to someone else. Because: A) sometimes it's not true B) if everyone did that, then very quickly the bad guys would realise "hey no one locks these" and then almost everyone would be taken advantage of. Any time there is a case where generally no bad guys take advantage of something, it's only because generally it's not available so they aren't looking to try to do something they know most people do not allow them to do. If your neighborhood is good and no one ever tries to break in to the houses, it's only because they know the houses are always locked and maybe have alarm systems too. This means maybe one or a few people can actually get away with leaving their place wide open, because the bad guys have no reason to suspect anyone would ever do that, so they wouldn't notice when one guy does for a while. But if that was the general rule that mostly no one locks their door or sets any alarms? Every place would get cleaned out. So no the sky is not falling , and yet, even though the sky is not falling, you still are obligated to investigate questionable things and close potential doors when you discover them. It's sort of like digital hygiene. If you don't do this you no only open yourself to problems, become a disease vector for everyone around you. (not saying you personally just in general) Saying that the original point is valid is in no way saying the sky is falling. My objection is purely to the broken argument and irresponsible advice that there is no problem at all, and I will continue to say so as long as that bad advice continues to be put forth. -- bkw -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
* Ken Schneider - openSUSE (suse-list3@bout-tyme.net) [20091105 20:25]:
The sky is falling, the sky is falling!
Yeah, I have the popcorn by my side all the time :) Philipp -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thursday 05 November 2009 20:12:11 Brian K. White wrote:
Your arguments hinge on there being essentially no difference between the two,
No it doesn't, not in any way. The OP raised the issue of flash storing cookies as a security issue, and I pointed out that it makes no difference whatsoever. If there is a bug, it can be exploited with or without cookies
All I said was that if there is a bug in the flash software, the presence or absence of the cache is completely irrelevant.
That's a pretty amazing statement. How do you figure?
It's quite simple: if the cookies are to be exploited, there needs to be a bug that allows a flash program to execute a generic binary that is outside the flash sandbox. Once that happens, you have lost, because that means the flash code is already outside the sandbox and can do pretty much what it wants. You don't need 100K for an exploit, most shell code contained in exploits is only a few hundred bytes or less, easily stored in a normal cookie. Sure there may be security problems in flash, but that cache is irrelevant to it Anders -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday, 2009-11-05 at 20:39 +0100, Anders Johansson wrote: ...
No it doesn't, not in any way.
The OP raised the issue of flash storing cookies as a security issue, and I pointed out that it makes no difference whatsoever. If there is a bug, it can be exploited with or without cookies
The point, I think, would be if something there is exploitable without bugs, for example, by the author of the flash video or whatever. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkrzP+IACgkQtTMYHG2NR9WehACdHGS2IVhbTtsUUsAUU7zVYxkh yyAAn2Oyw1TefdlGxgCfP4GBKVgrAHMI =zMjR -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, 2009-11-05 at 20:39 +0100, Anders Johansson wrote:
On Thursday 05 November 2009 20:12:11 Brian K. White wrote:
Your arguments hinge on there being essentially no difference between the two,
No it doesn't, not in any way.
The OP raised the issue of flash storing cookies as a security issue, and I pointed out that it makes no difference whatsoever. If there is a bug, it can be exploited with or without cookies
All I said was that if there is a bug in the flash software, the presence or absence of the cache is completely irrelevant.
That's a pretty amazing statement. How do you figure?
It's quite simple: if the cookies are to be exploited, there needs to be a bug that allows a flash program to execute a generic binary that is outside the flash sandbox. Once that happens, you have lost, because that means the flash code is already outside the sandbox and can do pretty much what it wants. You don't need 100K for an exploit, most shell code contained in exploits is only a few hundred bytes or less, easily stored in a normal cookie.
Sure there may be security problems in flash, but that cache is irrelevant to it
Anders
Ok I'll grant that flash could be equally dangerous by downloading something into memory just as much as downloading it into a file. But the possible problems were beyond that one possible mis-use. The others were related to collecting, storing, and relaying or forwarding data unrelated to the users nominal intentions, and without the users knowing, or knowing consent. I guess the same could be done in ranm minus the ability to store it for later or for one site to leave for another to pick up. 100k is certainly not a noticeable amount of ram by todays standards. -- bkw -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
* Brian K. White (brian@aljex.com) [20091105 20:12]:
But 100k up to unlimited blob of binary data, solely managed and used by a black box you can't see inside of? This is all the difference in the world. The two things are in no way equivalent.
And you do know of the data storage (i.e. large cookies) firefox supports? AFAIR the limit was something like 4 or 5 MB? And don't tell me the ordinary user can read *and understand* the firefox source code when even experienced developers (but with no previous experience with firefox code) need quite some time to understand what the code is doing. Philipp -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wednesday 04 November 2009 11:46:47 pm Anders Johansson wrote:
On Thursday 05 November 2009 04:44:06 Basil Chupin wrote:
The bottom line, then, is that what the OP raised about Adobe Flash is an exploitable feature in Linux, right?
The OP complained that flash stored cookies and cached objects. I didn't see any mention of any exploit or security issue.
Anders
I am the OP of this thread and I pointed to an entire article which discussed just that as well as security issues. That and subsequent articles mentioned explicitly that these 'flookies' can store entire programs if the malware author wishes. On my machine, as a user, I can run a mailer, (both as a client and as a server), send and receive E-Mail, compose text, html, data and other files, sending them anywhere, read all the directories in any directory I have access to as a user including 'hidden' directories. Any software that runs 'as me' have the same rights and abilities and if a 'flookie' contains executable code that writes E-Mail (phishing, or whatever), sends it to everyone on my contacts list or reads the headers of all messages stored on my machine (sent or received (including mailing lists)) and generates messages to the derived addresses even though not in my contacts list. It could also get bank account information by reading my incoming mail from my financial institutions or anywhere else I might have stored it, possibly derive my SSN, peruse any and all 'cookies' or other 'flookies' for whatever information it can derive. It could also initiate a ftp or http communication by opening a session with a 'drop' IP for collected information, in the background any time I am using the internet for any reason, and because I have the right to open sessions over the internet, (browser, ftp, ssh, whatever) legitimately, my firewall will ask its 'rules' if "he' is authorized to use http on port 80...yes, ok, let this message/packet go.... All because a 'flookie' was executing code due to a hack. So Anders, if that isn't clear enough, I consider that both a exploit or security issue that is made harder to detect and correct because it is closed-source that cannot by its' nature, be scrutinized nearly as closely by either me or by the open-source community which is huge and alert enough to prevent such exploits from being successful because they can't/don't remain hidden (for long, if at all). So, once again Anders, this thread started by stating a perceived weakness in Flash by Adobe because it is closed-source (not necessarily because Adobe is an evil entity), pointed to an article which got me to thinking about the issue that heretofor I hadn't considered and I requested, so far unanswered, information regarding what, if, and which is best, of any alternatives to Adobe Flash which, unlike Adobe's product,is open-source. Richard -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hi everyone: I use opensuse 11.1_ x86 and ktorrent 3.2.5 from the kde43 repository. Whenever the download speed gets higher than 2MB/s, ktorrent will respond very slowly, or even worse, doesn't responses at all. When download limits was set to 2Mb/s, the responsibility was acceptable. PS: I'm using a IPv6 network, and when using utorrent with wine, the speed can read 10Mb/s without any problems. Thanks. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Sunday, US TV program "60 Minutes" ran an item about how Bit Torrent ( and like) works and is causing havoc in the film industry. It seems more and more persons are downloading and creating black market DVD's of movies and selling them cheaper than the real market ones. There was talk about how to stop it. ;-) Like that is really going to happen ;-) And, I would venture to say, that most of us have done it a time or two - but - for our own viewing/collection. Could it be related ? Duaine Yang Bo wrote:
Hi everyone:
I use opensuse 11.1_ x86 and ktorrent 3.2.5 from the kde43 repository. Whenever the download speed gets higher than 2MB/s, ktorrent will respond very slowly, or even worse, doesn't responses at all. When download limits was set to 2Mb/s, the responsibility was acceptable.
PS: I'm using a IPv6 network, and when using utorrent with wine, the speed can read 10Mb/s without any problems.
Thanks.
-- Duaine Hechler Piano, Player Piano, Pump Organ Tuning, Servicing & Rebuilding Reed Organ Society Member Florissant, MO 63034 (314) 838-5587 dahechler@att.net www.hechlerpianoandorgan.com -- Home & Business user of Linux - 10 years -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
In <200911031438.37604.oakyangnjucn@gmail.com>, Yang Bo wrote:
I use opensuse 11.1_ x86 and ktorrent 3.2.5 from the kde43 repository. Whenever the download speed gets higher than 2MB/s, ktorrent will respond very slowly, or even worse, doesn't responses at all. When download limits was set to 2Mb/s, the responsibility was acceptable.
Careful with those 'b's. Do you mean 2Mb/s = 2Mbps = 2 megabits per second = 250000 bytes per second or do you mean 2MB/s = 2 megabytes per second = 2000000 bytes per second? If this former, I don't get the same behavior here. If the later, I'd actually suspect either your kernel, network card, or PCI bus to be the issue, but I'm unable to test here. -- Boyd Stephen Smith Jr. ,= ,-_-. =. bss@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/ \_/
On Tuesday 03 November 2009 20:07:52 Boyd Stephen Smith Jr. wrote:
Careful with those 'b's.
Do you mean 2Mb/s = 2Mbps = 2 megabits per second = 250000 bytes per second or do you mean 2MB/s = 2 megabytes per second = 2000000 bytes per second?
I mean 2MB/s(megabytes), sorry for the confusion. And thanks for your patience clearing these.
If this former, I don't get the same behavior here. If the later, I'd actually suspect either your kernel, network card, or PCI bus to be the issue, but I'm unable to test here.
But when using utorrent on wine, the speed can reach 10MB/s without any problems. So I think it should be the problem of KTorrent. And I figured that perhaps it's not the speed but the number of connected seeders that matters. It works well when there are only a few connected seeders even the speed is quite high(about 8~9MB/s). But if there are many seeders connected, it responses slowly while the speed gets more than 2MB/s. Sorry for my bad English, and many thanks for you all reading this. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 03 November 2009 08:47:00 Yang Bo wrote:
On Tuesday 03 November 2009 20:07:52 Boyd Stephen Smith
Jr. wrote:
Careful with those 'b's.
Do you mean 2Mb/s = 2Mbps = 2 megabits per second =
250000 bytes per second
or do you mean 2MB/s = 2 megabytes per second =
2000000 bytes per second?
I mean 2MB/s(megabytes), sorry for the confusion. And thanks for your patience clearing these.
But when using utorrent on wine, the speed can reach 10MB/s without any problems.
Then I am clearly wrong. I can't reproduce here; I don't think I've ever gotten a torrent to go over 2MB/s. :(
So I think it should be the problem of KTorrent.
Sounds reasonable. If no one comes up with a solution in a day or so, you might file a bug against KTorrent, it sounds like you can reproduce the problem reasonably well. -- Boyd Stephen Smith Jr. ,= ,-_-. =. bss@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/ \_/
On Tuesday 03 November 2009 23:43:04 Boyd Stephen Smith Jr. wrote:
Sounds reasonable. If no one comes up with a solution in a day
or so, you
might file a bug against KTorrent, it sounds like you can reproduce the problem reasonably well.
Thanks for the tips. I'll have more tests to see if my guesses are correct. Then I'll file a bug report. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 02/11/09 22:54, Richard wrote:
In any event, Adobe Flash Macromedia is banned from my system because it puts things on it that I didn't authorize,
Do you actually figure the many things your OS saves without your authorization ? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tue November 3 2009 11:34:33 am Cristian Rodr�guez wrote:
On 02/11/09 22:54, Richard wrote:
In any event, Adobe Flash Macromedia is banned from my system because it puts things on it that I didn't authorize,
Do you actually figure the many things your OS saves without your authorization ?
When I find such animals, using OPEN SOURCE, at least I can have a fighting chance at being able to track down what, who, and why if I have any questions. Not with Adobe, a closed-source program. While I do use some closed-source programs, that only remains true until I find out they are doing things I don't want them to do, especially if I perceive those things may, or may have negative impact on me, my machine or my privacy or finances. Secondly, if I answer your question as asked, my OS is not an issue as it does what I tell/configure it to do. That isn't necessarily the case with APPLICATIONS, especially closed-source applications that come from vendors like Adobe that don't have my, and probably not your, interests as one of their concerns, but instead, how much money they can generate by sneaking stuff in on you. This is exactly why most of us switched away from MicroSoft OS's, too many security holes both in the OS itself and in the closed-source applications it runs. Read ComputerWorld (last couple of weeks) about how MS upgraded FIREFOX, not exactly their browser, during one of their 'security upgrades'. They admitted it after the fact, and Mozilla has since patched Firefox to thwart the "helpful upgrade" that MS put on all Windows machines that used their update service. See: http://www.computerworld.com/s/article/9139518/Mozilla_blocks_Microsoft_s_sn... I just don't want the same thing happening from Adobe or any other vendor that is closed-source especially when their history leaves a little to be desired about their motivations. However, and AGAIN, I am not trying to argue/discuss the merits of Adobe or Macromedia, only WHAT OPEN SOURCE alternatives exist that provide similar functionality, and as there appear to be several, which is best? Don't know why no one bothers to answer that question, but insists on singing the praises of Adobe/Macromedia or any other closed-source vendor. If you install their 'stuff' (or other word beginning with 's'), and don't question what their programs are doing to your system, or you, then, well, you are running Linux, and it's your right to commit electronic suicide. As root, it won't even argue with you when you tell it to 'rm everything on my dammed system'. Richard -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 03 November 2009 14:32:40 Richard wrote: ...
When I find such animals, using OPEN SOURCE, at least I can have a fighting chance at being able to track down what, who, and why if I have any questions.
And what prevents you to run network monitoring tools, track down Internet usage of every application on your computer, and setup firewall to prevent connection to offending sites? The type of binaries doesn't make a difference, open, close, whatever source. If you accessing Internet you have no privacy. You shoot barrage on Flash violating your privacy, forgetting that your ISP has much more data about your Internet habits than any advertising company can ever imagine to collect using browser cookies and/or Flash. What you going to do about that? -- Regards, Rajko -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 04/11/09 21:47, Rajko M. wrote:
On Tuesday 03 November 2009 14:32:40 Richard wrote: ...
When I find such animals, using OPEN SOURCE, at least I can have a fighting chance at being able to track down what, who, and why if I have any questions.
And what prevents you to run network monitoring tools, track down Internet usage of every application on your computer, and setup firewall to prevent connection to offending sites? The type of binaries doesn't make a difference, open, close, whatever source.
If you accessing Internet you have no privacy.
You shoot barrage on Flash violating your privacy, forgetting that your ISP has much more data about your Internet habits than any advertising company can ever imagine to collect using browser cookies and/or Flash. What you going to do about that?
I know that this more appropriately belongs in offtopic but seeing as how the Adobe Flash problem was mentioned by the OP in this thread I thought it appropriate to post this: Adobe patches critical bugs in Shockwave Player Full story here: http://www.infoworld.com/d/applications/adobe-patches-critical-bugs-in-shock... BC -- The chief cause of problems is solutions. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wednesday 04 November 2009 11:24:12 pm Basil Chupin wrote:
On 04/11/09 21:47, Rajko M. wrote:
On Tuesday 03 November 2009 14:32:40 Richard wrote: ...
When I find such animals, using OPEN SOURCE, at least I can have a fighting chance at being able to track down what, who, and why if I have any questions.
And what prevents you to run network monitoring tools, track down Internet usage of every application on your computer, and setup firewall to prevent connection to offending sites? The type of binaries doesn't make a difference, open, close, whatever source.
In order to make use of Ethereal or such, one needs to know they are being hacked. With Flash, the illicit data is exchanged in the course of an otherwise valid communication which no firewall could possibly trap because it is to/from a legitimate destination and port and protocol.
If you accessing Internet you have no privacy.
You shoot barrage on Flash violating your privacy, forgetting that your ISP has much more data about your Internet habits than any advertising company can ever imagine to collect using browser cookies and/or Flash. What you going to do about that?
note to Rajko; My ISP and I have a legally binding contract regarding what they can and cannot do with the knowledge they gain about me because of the information I supply them as a customer, such as name, address, financial information (in the form of a credit card debit authorization), etc. If they violate that, they are subject to a lawsuit which *could* make me more wealthy than the exposure I tolerate by being a customer of that ISP. They have a duty, legal and moral, to protect any data they may have/collect from/about me as a result of my being a customer. Hackers obtaining the same or similar information through worms, trojans, viruses, phishing scams, keystroke capturing or whatever, do not have the same contract and have no right to the information I supply to my ISP as a customer. BTW, it isn't just PRIVACY at issue here, it is the fact that these 'flookies' can hold entire programs that can overcome the protection of the OS against hacker activities. If I can change permissions via software, if I can read and transmit the contents of a file via software, then malicious software can do the same *without* my knowledge or permission. Flash has been hacked and can and does have the ability to execute malicious code not written or endorsed by Adobe, but because the base software is closed source, it is nearly impossible for a user to detect the alterations made by hackers. Adobe has admitted to 'bugs' in their software that require patches to prevent such hacking. When and if they provide the patches, great and more power to them, but what about the bugs they haven't patched? With open-source, there are literally thousands of people that enjoy analyzing the code of various programs in order to find bugs and exploitable code. When the open-source community finds such things, it is often just hours before the entire world has at its' disposal, a patched version for download. No waiting for a vendor to weigh the cost of bad publicity, lawsuits or whatever by admitting the error and then offering a fix, often in the form of a 'new version' which incidentally, costs an upgrade fee.
I know that this more appropriately belongs in offtopic but seeing as how the Adobe Flash problem was mentioned by the OP in this thread I thought it appropriate to post this:
Adobe patches critical bugs in Shockwave Player
Full story here:
http://www.infoworld.com/d/applications/adobe-patches-critical-bugs-in-shoc kwave-player-892?source=rss_infoworld_news
BC
Basil, Thank you....you've helped me make the point and increase my resolve to use open-source software exclusively, if at all possible, and if not, to find other ways to do a similar and acceptable job that does use open-source. That article is precisely what I was talking about....not that Adobe, per se, is a villain but that closed source software is often hacked by malicious hacker types and when that happens, there is little or no recourse the end user has to detect and combat it. With Open-Source software, one has a much better chance to detect and combat such hacks. Why is Windows the #1 worst offender and the most leaky, insecure piece of software it is? Closed source. Why is LInux by comparison relatively solid and secure and hard to infest with hacks? Open-Source. Now, I happen to think Adobe Flash does a great job at what it is supposed to do. What I am afraid of is when it is doing something I don't want it to do. Its' very nature, coupled with the fact that it is closed-source, makes hacks that invade the privacy, such as it is, difficult to detect and correct. That is why I keep asking for an open- source alternative. I don't have a problem with PAYING for good software, even open-source software. I realize that the software itself isn't a big money maker especially if it is open-source, but Red-Hat, Novell and others have certainly found that it is possible to give the software away, but sell the service. Give the razor (apps) away, charge for the blades (service)... Richard -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
At 01:01 AM 11/5/2009 -0500, Richard Creighton wrote: /snip/ That article is precisely what I was talking about....not that Adobe, per se, is a villain but that closed source software is often hacked by malicious hacker types and when that happens, there is little or no recourse the end user has to detect and combat it. With Open-Source software, one has a much better chance to detect and combat such hacks. Why is Windows the #1 worst offender and the most leaky, insecure piece of software it is? **************************************************************************** *************** It should be obvious to the most oblivious observer, that Windows is the most prevalent system, so if you want to do the most damage, that's the system you target. No matter how good or bad the Windows system is, that's where the problem is going to be. If Linux, or other Unix systems, were on everybody's desk, and running everybodys network, the skunks would be there instead. **************************************************************************** ************** Closed source. Why is LInux by comparison relatively solid and secure and hard to infest with hacks? Open-Source. Now, I happen to think Adobe Flash does a great job at what it is supposed to do. What I am afraid of is when it is doing something I don't want it to do. Its' very nature, coupled with the fact that it is closed-source, makes hacks that invade the privacy, such as it is, difficult to detect and correct. That is why I keep asking for an open- source alternative /snip/ I admire those that say open source is the answer. But those of us who don't write code are no better off than those who pay for every ap they use, closed source. It would do me absolutely no good at all to have the code for Adobe-- I couldn't read it, nor could I fix it, if it were broken. I hope that this doesn't result in a flame thread, but I do think that it makes sense. --doug -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
* Doug McGarrett <dmcgarrett@optonline.net> [11-05-09 01:48]:
Now, I happen to think Adobe Flash does a great job at what it is supposed to do. What I am afraid of is when it is doing something I don't want it to do. Its' very nature, coupled with the fact that it is closed-source, makes hacks that invade the privacy, such as it is, difficult to detect and correct. That is why I keep asking for an open- source alternative
/snip/
I admire those that say open source is the answer. But those of us who don't write code are no better off than those who pay for every ap they use, closed source. It would do me absolutely no good at all to have the code for Adobe-- I couldn't read it, nor could I fix it, if it were broken.
I hope that this doesn't result in a flame thread, but I do think that it makes sense.
the quoting style may lead to some confusion, but your answer is in the group of people around you using foss. *Some* of them are able to read code and *do* complain about things that are not kosher. That makes *you* better off even thou you don't know it. -- Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://counter.li.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Doug McGarrett wrote:
I admire those that say open source is the answer. But those of us who don't write code are no better off than those who pay for every ap they use, closed source. It would do me absolutely no good at all to have the code for Adobe-- I couldn't read it, nor could I fix it, if it were broken.
Uh, Doug, Don't you see those regular security notices put out by Marcus Meissner, etc.? Don't you use linux, Firefox, Thunderbird (or Opera, Konqueror, kmail, etc.)? Don't you update your system when you see the notices? You _are_ better off because of the thousands who can and do look at the code, design and implement fixes, and update suse or whatever. You are a direct beneficiary of open-source, and most particularly the GPL. And so am I, and Richard, who don't look, design, and implement, along with all those who can and do. John Perry -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (25)
-
Anders Johansson -
Anders Johansson -
Basil Chupin -
Bob Williams -
Boyd Stephen Smith Jr. -
Brian K. White -
Carlos E. R. -
Cristian Rodríguez -
Daniel Bauer -
David C. Rankin -
Doug McGarrett -
Duaine & Laura Hechler -
Hans Krueger -
Hans Witvliet -
John E. Perry -
Ken Schneider - openSUSE -
Patrick Shanahan -
Philipp Thomas -
pth@suse.de
-
Rajko M. -
Randall R Schulz -
Richard -
Richard Creighton
-
Wolfgang Rosenauer -
Yang Bo