Microsoft’s new consumer product, OneCare , “offers virus and spyware protection, a new firewall and several tune-up tools for Windows PCs”. A beta, version is scheduled to be available by the end of year, and the final product will be offered as a subscription service.
Microsoft Tests Antivirus Subscription Service
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
I was just to write the exact same post as yours.
I don’t use their os any more and hope I won’t in future, so I really don’t care
This news are not news at all… it’s just so damn obvious :-S
I guess this is really the case of “spread the decease and sell the cure” X-D
LOL @ all the computers! I tell you, one of this days people will go back to pencil & paper just to get rid of all this absolute nonsense.
Why are they charging when…
http://housecall.trendmicro.com/
FREE online virus/spyware/security check
This is such garbage…first it costs hundreds to get the OS…and now THIS just to keep it running…
If they would just build the operating system good in the first place…
A classic situation of “give ’em the poison, sell ’em the antidote.” If Microsoft were to design things right the first time, these kinds of things wouldn’t happen. You know, it’s not evev their OS that’s the problem – it’s IE. I do off-the-side tech support for folks, and it’s always the same thing – the spyware-infested computers are the ones with IE as the browser. On the PCs I’ve serviced, the ones that I installed Firefox on, I haven’t gotten any calls from them – their problems just dissappear.
Will there be no 3rd party software firms left? How can Symantec and others compete with MS and the whole pre-bundled issue. Will Symantec/Trend/Fprot and company be the next Netscape?
Although on a side note these AV firms software/spyware/spam firewall packages are almost as bad on system performance as the viri..
X
After seeing that Penny-Arcade strip, I can’t read “M$” without thinking of some nerd in a Star Trek uniform yelling “From my parents’ basement in Wisconsin, I stab at thee!”
Virus defense is the most worthless technology ever created for a computer. What you end up paying for, is software that runs in the background eating up your cpu, while providing no benefit for your machine. When new viruses come out, your virus software won’t stop them, because your virus software does not know about them yet. Then the vendor of your OS will come out with a fix to stop the virus from spreading, and you install the patch from your vendor to stop the virus.
So what exactly does your virus software do to protect you? If the bug isn’t patched, the virus can always get in by changing it’s signature to something the virus software doesn’t know about yet.
In the Slashdot article, people claim that Microsoft has every right to ship a anti-virus product, because it is impossible to stop viruses on the OS. But isn’t that what they are claiming the anti virus software will do? Stop the viruses on the OS? The logic these people have makes no sense. They say it is impossible to stop viruses, and they say they can stop viruses with software. Is you OS not software? Can’t these MAGIC changes be made on your OS, instead of stripping them out into a seperate product?
http://chaosfarmer.blogspot.com/2005/05/virus-scanning.html
“All your money are belong to us.”
Works for Red Hat.
Microsoft is not the greatest innovator, but it can use ideas of others without second thought.
The Devil was still a little boy when Microsoft began to talk about software subscription. If they succeed with that scheme, it will be a dream become true. And soon you’ll have to pay annually to use Office so that your documents, all in MS proprietary formats, will still be accessible to you.
Ironically, services model is how OpenSource survives.
Services would be fantastic fit for Microsoft: no more copyright protection and if you do not pay $$$ to Microsoft annually your computer will be infected by worms, viruses, 0wned by spyware- all with Microsoft not even lifting a finger.
Blame your pennysaving and evil hackers, or fill Microsoft’s wallet.:)
What does not kill Microsoft only makes it stronger.
You are confused — the OS does not have to have ANY bugs and security exploits for there to be viruses for the OS. There are a lot of viruses that exploit bugs and security issues in the OS and associated software, but there are also many that do not do that and do not depend on any bugs or security holes. For the former type of viruses, when the bugs are patched antivirus software will not be needed to protect you, but for the latter, you need an antivirus program to stop them. And often, viruses are actually a combination of both types, so you definitely need antivirus software, unless (currently) you are running GNU/Linux or BSD. And even then, it is good to have antivirus program handy to screen the Windows viruses. And there are some viruses for GNU/Linux and BSD, too.
Antivirus programs also automatically update themselves with information describing new viruses (new virus definitions), so you do get protection against new viruses, albeit after a virus sample has been analysed by the antivirus lab and after a certain number of people have been infected by the virus while there was no protection for it. But most people’s antivirus programs quickly get the protection automatically so they are never infected. Antivirus programs also can do heuristic analysis on the data to detect totally unknown viruses.
It is an entirely different, and very important issue why there are so many viruses being written every day. Why the laws seem to favour crooks. Why indeed antivirus companies loathe seeing the status quo change and why they fear-monger.
But antivirus software is needed — it’s like the immune system in your body.
When a ISP provides a free antivirus/firewall. Concerning spywares, I haven’t encountered on when using any non-IE browser. This is another marketing stunt from Microsoft caused by their own ill designed browser.
We aren’t worried. I don’t think anyone should care until Symantec does.
No matter how secure you make an operating system the user can always find some way to mess it up. I personally cant even remember the last virus/spyware I had on Windows. I’m not so concerned about viruses as much as I am with spyware. Most spyware I have had to remove came on to the computer because the user allowed it! They download some little free utility and if you read the license agreement (which most dont) it will mention something about a program being included subsidise the cost of development. AKA spyware. Tell me how Windows (or any OS, even the so called elite Linux) can protect against users that willfully allow something to be installed.
You say it is not the OS’s fault that the virus gets in, and there is nothing the OS can do about it. But if that was the case, then virus software would not exist. There is something you can do about it. (and microsoft has taken steps to do some things, like making sure outlook will not let you download .exe files and other executables.)
All the viruses of late, have spread via email, so the filters should be on the mail server and not EVERY client. or the viruses spread via a security hole in the OS, so the OS needs to be patched to stop them.
There is no reason for virus software on local machines. Viruses are not magical, they either spread via a hole in the OS, or a user running something out of their email.
The vendor of the offending product should be responsible for patching the holes, and cleaning up the mess made by the virus that came through that hole. You should not be rewarding the vendor for having a security hole in their product by paying them a monthly fee.
This reminds me of the company that decided to pay their developers $X for every bug they found….
“Tell me how Windows (or any OS, even the so called elite Linux) can protect against users that willfully allow something to be installed.” –ac
Well if your running microsofts anti-spyware program, it’ll tell you when programs are trying to install themselves in your startup scripts. It will also tell you when program are trying to update your homepage. They also setup the outlook api, so it will ask you before a program can look at your address book or send mail. Firefox will make the user wait 2 or 3 seconds before it even allows them to install an extension, and by default it will only let them install extensions from known sites. Mac OS requires a password before it writes to any system area.
Just because you don’t know how to do it, that doesn’t mean it is not possible.
Tell me how Windows (or any OS, even the so called elite Linux) can protect against users that willfully allow something to be installed.
The OS cannot. But the culture among the users of an OS can. On *Nix if you hose your system and you are root, then it is your own fault. The computers you administer are your responsibility.
When on a Win32/64 system, when a user runs as admin and screws up the system… He just becomes an innocent victim of his ignorance who needs saving. (Right.)
I’d say, let people ditch their attitude of “not needing to know how their computers work” and get with the program. If you want to use a car, you need to know how to use it. Why is a computer any different?
I heartily agree with you.
-I have the poison!
-I have the remedy!
Not only this service should be free (because MS is responsible for letting viruses exist), but they should actually reimburse users for the time wasted becasue of viruses on their OS.
The only thing wrong with OneCare is that it should be absolutely free as part of the price you already pay for Windows, like Windows Update is, not an add-on subscription that you pay extra for.
But if that were the case, the Trend Micros and the Symantecs would scream bloody murder and US gov anti-trust would be all over MSFT in a second (“anti-virus is a $13 Billion/year industry and we will not let you kill it”).
I’m sure Microsoft wouldn’t mind offering OneCare for free at all, but there is just no way that they ever could…
Am i the only one who sees this as a thinly disguised attemempt to institute a monitoring mechanism into 90% of people’s computers? Call it paranoia, but consider the rammifications if it is true.
1) The richest, most arguably evil corporation in modern history controls over 90% of personal computers – this is already the case
2) This corporation has been ruled an illegal monopoly, uses enforcement tactics that inspire terror (BSA audits/raids), and attempts to “re-educate” people about “thought theft” (http://yro.slashdot.org/yro/05/05/14/072201.shtml?tid=109&tid=141&t…)
3) This corporation, in the name of “security”, introduces a software suite that can, at their sole discretion, monitor nearly EVERTHING a user does on their computer (running processes, memory contents,…practically all information on the pc), disable “unapproved” or “unsafe” content, and even potentially inform authorities about “inappropriate” activities
4) This software is initially a free security upgrade, but later, as more and more people install it, becomes mandatory.
5) Millions of people worldwide willingly invite this into their computers (esentially their digital lives)
This is a recipee for disaster…and i do not say that lightly.
[sarcasm]
I’ve already downloaded my copy! When are YOU getting yours?
[/sarcasm]
The last thing I would trust is an anti-virus subscription service offered by MS.
Finally MS will learn how these viri and spyware infest their hole filled OS and perhaps in the future they will build a better OS overall?
Then again if this service sells alot and brings in major cash then they might want to make it easier for viri lol.
I wonder what the average persons reaction to this service will be… and I wonder if MS is going to “Bundle” a few free months with the purchase of their OS… just like they integrated IE.
finally a comment with some style
Extortion and racketeering. That’s all it is, more bullsh** from Microsoft.
MS can take their antics and cram it, if this continues I’m moving fully to linux and maybe I’ll get a mac for my (unforutetly) needed Adobe products.
So long as they feed this BS I’m not buying another MS product.
“one of this days people will go back to pencil & paper just to get rid of all this absolute nonsense.”
It would save the global economy billions every day!
It is amaising to see how much time money is wasted in keeping this Toys UpToDate, Secure, and running. People seem to be more concerned about their computer systems than with the actual Jobs. We are waisting time with making a presentation or a spredsheet looking good than with customer service.
We are wasting more time and money upgrading networks and installing the latest S/W with all the unecessary blows and
whistels than with our products.
Fools! The big reason the security vulns got so bad with Windows was that few people updated there systems ever. Things seem to be working out with having auto-update on by default. But why not have all the security enabled or included by default. This seems totally illogical and asking for a storm of security issues.
no autoupdate by default for corporations. hassle for admins.
for others…switch to Mac.
“I’m sure Microsoft wouldn’t mind offering OneCare for free at all, but there is just no way that they ever could..”
And why should they? As soon as somebody scratches on their monopoly offering free S/W they cry out foul and involve gouverments and lobbies around the globe to “protect” them from the nasty communists.
There is enough competition to secure a fair price and offering for the consumer.
IMO MS should stick with their Xp and Office. Gee, I cant understand why they should stick their nose into things somebody else does much better then them.
“Not only this service should be free (because MS is responsible for letting viruses exist).”
I don’t like microsoft, but please get your facts straight. They are not responsible for the existence of viruses. Virus writers are.
And….
From
http://csrc.nist.gov/publications/nistir/threats/subsubsection3_3_1… :
“The first viruses found in the wild were Apple II viruses[…]”.
This is a very amusing argument – MS cannot give their antivirus product away, because it would amount to price gouging of their competitors in the anti-virus space – ie anti-trust case.
I don’t know about american law, but where I live, competition laws can be overridden by public benefit. It seems to me that anti-virus is economically inefficient. There is a whole lot of resource going into keeping a broken OS going for 100’s of millions of computers.
It seems that if MS can produce a secure product, whether by way of OS or bolt-on (whether they actually succeed is another question) and give it away for free, that has to improve the efficiency of the economy, and be of public benefit. This means that the billions of dollars spent on anti-spyrus software can be spent more productively, improving the wealth of all.
I say GIVE IT AWAY – improve all of our lives. How can spending billions of dollars essentially to protect against stupidity be economically efficient?
Don’t give it away. I say fix the inherent design flaws in the OS and then there’s no need to use antivirus or or antispyware.
I say fix the inherent design flaws in the OS and then there’s no need to use antivirus or or antispyware.
——————————————–
I could probably give up my spyware and virus scans. I use them once a month and have yet to find anything. Looks like things are ok here.
” Build it and they will come “
Who is hearing “Another bites the dust” with the introduction of this, and the eventual decline of Symantec and McAfee as a result?
The whole lease an OS for a year is getting me testing Linux. I get tired of paying Symantec and MS and others for the right to use their software.
Another program fot the virus,worms,parasites to infect. I want to see how microsoft’s service “No OneCares” will perform against the leading antivirus programs
I don’t think so. Every couple years microsoft likes to charge their customers alot of money for a new OS, but this time they can’t make money from offering a new OS. So they have to find another way to replace that lost revenue maybe their investers are getting worried for forcing microsft to start offering this kind of service which they could start offering long time ago if they really cared. This service could of beee added to the last service pack for free if windows long was released, but since no revenue was made now they hope to make alot of cash with this gimmick.
There is one easy way to avoid spyware on Linux – use Open Source applications.
With an Open Source application, everyone on the planet can see exactly what is in it, what functions it contains.
If there is any spyware in the code, it won’t be accepted against competitor code without spyware – or someone else will simply create a version without the spyware.
Open Source == No spyware, by definition.
“Don’t give it away. I say fix the inherent design flaws in the OS and then there’s no need to use antivirus or or antispyware.”
This might be partly the case for virus, but it is not the case for spyware.
Nearly all spyware and a good many viruses get on to a system because a user intentionally installs something for which he has no idea what it contains.
Use Open Source software – where you can see the source code yourself, or you know at least that there are millions of people (users and programmers alike) all around the world who can see the source code and understand it and who therefore know it contains nothing malicious.
Where you can, use Open Source software exclusively. Install only Open Source software. That way you are 100% guaranteed that it will contain no malicious code.
brilliant idea, I can use One care and have complete confidence that my PC is running with out any nasties.
Thank you Microsoft
“I can use One care and have complete confidence that my PC is running with out any nasties.”
Errr, no.
If you (or thousands of programmers independant of the provider) can’t see the source, then you have zero confidence that there are no nasties.
If it is from Microsoft, you actually have 100% confidence that there are nasties. Microsoft’s EULA says so.
I can use One care and have complete confidence that my PC is running with out any nasties.
Not in reality.With advanced polymorphic programming “tricks” you can create zillion new viruses of one and the same virus with practically the same effect yet an X virusscanner doesn’t detect it as such.Virusscanners will allways run after the facts.Personally i think if the OS designers had at least a slightly bit of integrity themselves they would think of alternativ designs which would make an anti-virusscanner for example obsolete.Just as illusional however as thinking the Oil lobby would really sponsor alternative fuels.
The comment list seems more of an MS bashing spree than actually a discussion about the new feature. MS may integrate this feature into Longhorn for a meagre extra price and then take over the AV industry.
And one more thing if you know how to use Windows then you are comepletely safe but if you have no idea about firewalls,AV or Anti-spyware which at least 80% people dont bother to use you would be the person to suffer. its not the OS its the user who decideds whats happening with the OS.
“You say it is not the OS’s fault that the virus gets in, and there is nothing the OS can do about it.”
No, I do not say this at all. Please read my response again. It is OS’ fault if it has security exploits that are unpatched and that could be exploited by one type of viruses. So the OS can do something about about it.
“But if that was the case, then virus software would not exist.”
That is not the case at all. But even if that WAS the case, there are still viruses that do not exploit any unpatched security holes or bugs to infect you — the second type of viruses I mentioned in my previous reply. Those are viruses who simply rely on your running them voluntarily and then they have access to your computer just as any other program.
“There is something you can do about it. (and microsoft has taken steps to do some things, like making sure outlook will not let you download .exe files and other executables.)
All the viruses of late, have spread via email, so the filters should be on the mail server and not EVERY client. or the viruses spread via a security hole in the OS, so the OS needs to be patched to stop them. ”
Viruses do not spread only via e-mail. There are a lot of malicious programs on the internet that mask as benign ones. People download them, and the antivirus on the mail server can do *nothing* about it.
I have, and people do receive by e-mail compressed files that are password-protected, and the password is provided in the e-mail text, the user urged to use it to open the attachment for whatever reason. Such password-protected compressed files cannot be scanned for viruses by the e-mail server, because it does not know the password.
When a careless or ignorant user uncompresses such an attachment, a host-based antivirus solution running on the client computer can intercept the virus before it has done any harm.
“There is no reason for virus software on local machines. Viruses are not magical, they either spread via a hole in the OS, or a user running something out of their email.”
I have given you counterexamples above that show that your thinking in the above paragraph is limited and wrong.
“The vendor of the offending product should be responsible for patching the holes, and cleaning up the mess made by the virus that came through that hole. You should not be rewarding the vendor for having a security hole in their product by paying them a monthly fee.”
For viruses that depend on security holes, I agree! But as there are many viruses that do not depend on security holes, and rely on your clicking onto them, and then they have full access to your computer (under Windows) just like any other program, there is a lot of work required which has to be paid by someone if the work is to be done at all.
I hope I have cleared any misunderstandings for you this time.
I have given you counterexamples above that show that your thinking in the above paragraph is limited and wrong.
Ha Ha Ha, I assume you live in a high IQ society or maybe belong to the mensa club.
“Ha Ha Ha, I assume you live in a high IQ society or maybe belong to the mensa club”
I will laught with you at my own statement
. I am really sorry if it came off as elitist — it was absolutely not intended to be. My apologies!
“if you know how to use Windows then you are comepletely safe”.
Err, no. Just one word here is all I need to counter that view: “ActiveX”.
“its not the OS its the user who decideds whats happening with the OS.”
Again, no.
Anyone who installs closed-source software places their system at risk. With Windows, that starts with the person who installed that system in the first place, and the first-named user who is given Admin rights by defaults.
On Windows systems, many other users also require Admin rights in order to be able to run the applications they need.
On Windows Systems, many users run with rights such that malicious software accessed via browser or email client for that user can install malicious code.
Windows Systems are fundamentally broken security-wise, and if a Windows System is exposed to the net then no amount of anti-virus or anti-spyware software is going to keep that system safe.
Furthermore, if Microsoft introduce a new system (call it Longhorn for arguements sake) with these security issues fixed (so that viruses and spyware no longer run) – then many existing legitimate Windows applications will no longer run either.
Windows people can say goodbye to legacy compatibility or say goodbye to security – those are their two choices.
If they say goodbye to legacy application compatibility – then they might as well run Linux as Longhorn. It will be a lot cheaper to run Linux than buying a new computer, new OS and all new applications – as would be required for Longhorn.
>Err, no.
Hell, yes!
>Just one word here is all I need to counter that view: “ActiveX”.
One word is not enough. I run IE. All computers in my family run IE.
So, what is your problem with ActiveX?
Also, do you have problem with Netscape plug-ins? FireFox add-ons?
>Anyone who installs closed-source software places their system at risk.
Anyone who does not trust anyone else but himself is sad person to be.
Microsoft CAN give the anti-virus software away. There is no law against if in America. However, the gist of the original post was also correct. Microsoft cannot give the software away without inviting more anti-trust lawsuits. It is a nice Catch 22 situation.
American law provides that anyone can sue someone. The judge decides whether or not the case has merit, or eventually decides who wins. It isn’t law until the judge makes a decision. Until that judges decision, it is “established precedent.”
By charging for the anti-virus software, Microsoft establishes the company as a competitor, on an even playing field, with Symantec, MacAfee, and others. The do not position themselves as “the 800 pound gorilla killing another Netscape” by giving the software or service away. Also, by providing a service with a subscription fee, they are not doing anything other companies are attempting to do, Symantec among them. Symantec started implementing a subscription strategy over two years ago.
Do I like it? No. Is it a good thing for the industry? No. Is it an inevitable decision from Microsoft? Yes.
Later . . .
I think OneCare will be a success. A majority of consumers will see it as a bonus, nice feature or option that Mac or Linux do not offer. MS will promote as an OS that has “built in virus protection”. Now your safe!
>>”if you know how to use Windows then you are comepletely safe”.<<
>Err, no.<
“Hell, yes!”.
Err, no. Hell No!
“One word is not enough. I run IE. All computers in my family run IE. So, what is your problem with ActiveX?”
ActiveX will execute instructions from the web without any say so (or even knowledge) of the users of a Windows System.
ActiveX can remotely be made to remove or install files at the Administrator permissions level.
ActiveX allows Windoes Systems to become “owned”.
Literally millions of Windows systems are in fact owned.
This very thing is the source of all the spam taht inflicts e-mail traffic and clogs up the internet.
“Also, do you have problem with Netscape plug-ins? FireFox add-ons?”
I don’t have a problem with Firefox add-ons that are open-source, especially on a Linux system where they must obtain permission by interrogating the user for a root password before they get installed.
On a Windows system they may be more problematic, and on any system plugins that are closed-source are indeed a problem. Don’t install such.
“Anyone who does not trust anyone else but himself is sad person to be.”
Strawman … I never said this. What I claimed (paraphrased) is that you can not explicitly trust anyone who wants to keep hidden from you the way that their stuff works – compared with the fact that you can trust someone who is prepared to show the whole world the way his stuff works.
As they say in the classics – never buy a car which has the bonnet welded shut.
“option that Mac or Linux do not offer.”
bzzt. Please try your troll again.
http://www.clamav.net/
Mark, I know that there is virus scanners and virus software on Macs and Linux what I am saying is that Microsoft will show this off as an “advantage” over competing OS being that it is an OEM solution when it may be no better than Symantec or other commercial or free offerings.
I mean its obvious that Microsoft has had their problems and their OS has been through a lot. But people forget that Linux is not completly omitted fromo such problems, being as its not an operating system run by amateurs. The people who run Linux, usually know what they are doing. Hell I have two Windows machines, never been infected, hacked, or crashed; why? Because I know what I am doing, same goes for Linux, and everyone visiting here knows that.
The fact is Microsoft is needing to do this because despite their, and the rest of the industries efforts, people still dont know what Viruses or Spyware is/are. Is Microsoft a monopoly and should they have done a better job designing Windows: Yes. But I think that is what they are starting to try and do, but we all know how much Legacy code Windows is using.
People need to step back and not think money, money, money. Yes this is going to make money, God I hope it would, thats basic economics, and I think the people here are smart enough to relieze that. But looking at it from another side, its a way to make absolutely sure everyone has anti-virus protection, why? Because when you own 90%+ of the market, your gonna get targeted and many of them dont even know what a virus is.
The time is approaching where Microsoft will finally be challenged in the markets it has long dominated on the consumer side, which is its strongehold. We know this to be true and we are seeing it in various ways. Microsoft doesnt want this, but it is happening, so that we can rest easy about.
The bottom line is that people need to stop ranting and raving about how much Microsoft is going to make doing something and consider the economics of the situation. For example, it common knowledge that Microsoft employs some of the best engineers in the world. While I have great respect for the open source developers that I know, they agree that it doesn’t pay the bills. Consider how much what they are doing costs?
Hi,
Microsoft, as the designer of the operating system, has internal knowledge that other anti-virus companies don’t have (like access to the OS source code). In this case I would expect Microsoft’s anti-virus software to be better than any of the competitors products.
This raises further concerns for me – if they find a security hole in the kernel, will they fix the hole and release it as a service pack or will the updated kernel be downloaded and installed to via. OpenCare subscription only? After a few years will Windows users actually have a choice?
-Brendan
How does Microsoft knowing how their kernel is coded help them in any way whatsoever in recognising and removing viruses?
Microsoft know of dozens of huge security holes – like ActiveX, Internet Explorer and Outlook – yet they don’t fix those.
When Microsoft do make a fix for their broken system they expect customers to pay up to get that fix. In any other industry if a fix was required to a product there would be a recall and it would be replaced at the suppliers expense – how is it that Microsoft are allowed to charge users over again for the product when they offer fixes such as OneCare?
Mark, your are in need of a little education. ActiveX, if you look at what it does, is a piece of software which can be downloaded, installed and used by the browser.
From the software development point of view ActiveX is not that different from any other executable you willingly download and install on your computer.
Like FireFox extension or Netscape plug-in, or QuickTax, or OpenOffice.
>I don’t have a problem with Firefox add-ons that are open-source, especially on a Linux system where they must obtain permission by interrogating the user.
Sounds very much like ActiveX controls behave under Windows.
Spyware sneaks under Windows because user gives up and agrees to install ActiveX. Spyware also sneaks when user installs some kind of KaZaa software altering Web browser.
Somehow you believe same user transferred to Linux will not enter root password when asked if he/she wahts to install Web accelerator, for example.
Somehow you believe that Linux software is not able to alter or even plain replace Web browser when installed. Somehow you believe that if some kind of KaZaa for Linux is installed and asks for root password, Linux user will just say no.
You can believe anything you want. Feel free. Just don’t tell others who know how to run Windows safely that ActiveX will kill their first born child. You’ll look silly.
>you can not explicitly trust anyone who wants to keep hidden from you the way that their stuff works
Before you take Tylenol do you visit a factory that produces it to see how their stuff works, or you just trust a label which says “pain relief?”
Sad, truly sad.
>As they say in the classics – never buy a car which has the bonnet welded shut.
A truly zero maintenance car will be the blessing and the hit for 99% of drivers.
I see that you don’t get it.
You came with car analogy, so here it is: car makes me free because it takes me from point A to point B, not because I can rebuild its engine in my sparse spare time.
MS buys already fully developed products. Still, it takes them till the end of year to make them Beta?
Must be real hard to slap their logo on!
You sir are a fool – and you lack significant knowledge to boot. You do not know enough even to know you are a fool.
ActiveX is an interpreter – one downloads code definitions which are interpreted by the ActiveX functionality which is embedded in the Windows kernel. If ActiveX were actual code – any OS could execute it – and Microsoft does not like that. Microsoft wants to create proprietary, hidden extension to internet protocols so one has to have a Microsoft OS and browser to be able to use it. But because ActiveX is actually part of the kernel, it can (and does) execute things with root-level priveledges. This is bad – very, very bad – for security.
Now, as for another of your misconceptions:
1. An ordinary user on Linux does not know the root password and has no need to know it. The only person who knows the root password is the Administartor (and probably owner) of the machine. If that administrator installs software for which he cannot attest that the code is trustworthy (through it having been reviewed and vetted by thousands of people independant of the author) – then (and only then) is the Linux system as liable to end up in a mess like a Windows system. The principle problem with Windows is that just about all users have to be given administrator priveledges because many applications won’t run properly without that. This is a leagcy of Windows not being a multi-user system when it started, and the multi-user functionality of the system is an add-on afterthought that first appeared with NT.
2 “Somehow you believe that if some kind of KaZaa for Linux is installed and asks for root password, Linux user will just say no” – a few points, 1 – you cannot install KaZaa on Linux, 2 – without the root password anything a user installs on Linux can only touch that users directories – it cannot affect other users, and 3 – normal users on Linux don’t know the root passwrod, and those that do should know better than to install closed-source trojans.
3 “run Windows safely” is an oxymoron. It can’t be done. This is why Windows has virus checkers and anti-spyware tools in the first place.
4 “A truly zero maintenance car” and “Microsoft Windows” are exact opposites, and nothing at all like an analogy. In fact, Windows needs re-installation about every 10 months – or every time you ring up the clueless Windows support people, whichever is sooner, and Windows is designed to need replacing with an upgraded version every 3 years – so that Microsoft can stay in business. Linux systems have uptimes longer than that.
So here is your car analogy back at you – a car with its hood welded shut can be repaired only by the carmaker. Nobody on the planet with more than two braincells would stand for that nonsense – especially when the carmaker says – “here, you have to buy my new model to fix that problem” after having the car only three years, and with the car needing an overhaul every ten months while you had it anyway.
Actually, I correct myself – one can get Kazaa for Linux. It is just that it is not part of Linux repositories such as Debian’s apt repositories or Mandrakes urmpi repositories.
Kazaa is closed source. That means I wouldn’t install it – it is likely to have spyware in it – No?
I bet it has got spyware. Yes? Thought so. Closed source.
The main problem as I see it is how will any other AV vendor compete when MS already has it’s AV installed when the new machine comes to granny’s door? She won’t uninstall and go to best buy to get another.. I don’t care if MS has the product but the playing field should be level. In a perfect world you should get a AV screen at first boot asking you which vendor you prefer and after choosing…say…NOD32 (-; it goes from there, same with Firewalls or whatever…
In a perfect world my computer would also brew coffee in the morning and have it waiting when I come to work as well…
A new meaning for Java Beans..
X
MrX did you not read the introduction part?
“and the final product will be offered as a subscription service.”
That means that you have to pay Microsoft on a periodic basis for it.
OTOH, I can get a GPL open source antivirus scanner from: http://www.clamav.net/
… and download new virus definition files for free.
I can download from SourceForge the WinClam antivirus for Windows – and know with 100% confidence that the package I get to scan all of the files on my machine has no spyware in it and it will not rat on me to anybody what stuff I have installed on my box.
I would rather use knoppix to scan a windows partitions for viruses.
But will it come pre-loaded like MSN (which also charges for dial-up service) and used to be the first option when setting up your dial-up account thru the new connections wizard.
Just want a fair play rule is all…
and coffee…
X
There seems to be some talk of the user having a root password and not needing to know it. My take is that the typical user will probably just run as Root anyways. They will configure their computer to log in as root automatically and then when they are already in, they dont need to worry about typing a password to install something.
Just because an application is open source does not mean that spyware is not bundled with it, or even contained in the code for the main program… are you going to go in and look at the code?
Spyware has nothing to do with closed source applications, in fact, most spyware comes piggybacked on an install for another application. The software that you are intentionally installing rarely has spyware in the code.
Also, your car analogy just does not work. You can not compare a car to an operating system. To a computer, sure, but not to an operating system. The insides of a car don’t have intellectual property that the manufacturer would like to protect, whereas with software, That IP is precious.
If a user is on Linux, they will know the root password because it IS their computer. You can’t compare Windows at home to Linux in a domain type network. Employees at a company do not know the administrator password for Windows just like on a Linux system. If you are going to argue a point at LEAST be consistant in your argument.
NT was built from the ground-up to be multi-user. Just because it is called Windows does not mean it was derived from Windows 1, 2, or 3. It wasn’t even a redesign of the old Windows. It was a completely new entity.
He didn’t say that ActiveX was an application. What it is, is an API to allow applications run from the browser (applications that are no different than one that you install off your own system, for the most part).
ActiveX is NOT part of the kernel (and neither is IE). I don’t know where you got this non-sense from, but it’s not at all.
ActiveX was not ment to lock people into Windows. It was meant for giving IE the ability to have extensions, which is what it does. Any OS that has IE can run ActiveX controls, it just so happens there only two OSes that have IE, MacOS and Windows. This is NOT different than how Firefox works. You can not run Firefox extensions on other browsers (often not even Mozilla). So according to you, this is an attempt to lock people into Firefox.
Windows is no less safe than Linux. I don’t get viruses, spyware, and the like on my system, but that’s because I know what I’m doing. I know what not to install, what attatchments not to open up, etc… Linux is the same way, you can’t run just any program on it. And whether you would like to believe it or not, there are viruses that run on Linux.
Microsoft’s setup for anti-virus is no different than any other anti-virus company. They all have subscription models that you have to purchase to keep your virus defs up to date. Just because you can get a GPL application to do this for free makes this evil?
Is it not more wrong, from an economic standpoint, to offer such a thing for free? I guess if someone wants to waste their time to develop such a thing and offer it for free, including virus defs, more power to them.
But you want companies which pay developers good money to offer these products for free to you. This is not right.
CPUGuy gave a great reply to your nonsense, so I can follow with just two points.
>“3 “run Windows safely” is an oxymoron. It can’t be done.”
I must be Jesus because according to you I do miracles that can not be done.
>“This is why Windows has virus checkers and anti-spyware tools in the first place.”
“Feel safe in your house” must be an oxymoron, too, because houses have locks, security systems, and homeowners (in U.S.A.) can even buy guns for protection.
U.S.A. must be the most dangerous place to live, by your faulty logic.
Also, I do not run real-time anti-spyware on my computer and was about to get rid of anti-virus but I was offered a one year of a free subscription.
Yet, when once a few months I scan my computer for spyware and viruses, all I have reported are tracking cookies. These I can live with, but I know how to get rid of them if I don’t want them, too.
>“In fact, Windows needs re-installation about every 10 months
In fact, it does not. My corporate computer given to me 4 years ago still runs Win2K just fine, and all my home computers except one did not require Windows XP reinstallation since they were bought over a year ago.
The one that did had faulty hard drive which was replaced by the manufacturer.
>“or every time you ring up the clueless Windows support people”
Culeless people with root password can do much more harm on Linux than they can imagine on Windows. On Windows, the worst is reinstallation of OS, on Linux they may try to recompile the kernel.:)
>“and Windows is designed to need replacing with an upgraded version every 3 years”
My dentist runs Windows 95 or 98 on her office computer. I am so willing to grab the mouse and check if it is 95 or 98, but I worry that I could inflict a lot of pain on myself if she catches me messing with her computer.
Again, you are wrong. People that have a clue can run Windows 95 today if they want to. With the falling prices of hardware it makes little sence, but it is technically feasible.
>“Linux systems have uptimes longer than that.”
As long as they are not connected to the Internet. What are you, Linux marketing department material?
With kernel patches released monthly you either patch the kernel every month and reboot- so your uptime is gone, or run Linux like morons who get their Windows infected with the worm exploiting a hole fixed 6 months ago- and blame Microsoft for it.
For these morons Microsoft’s OneCare is great solution: they pay modest fee and have their computer reasonably protected.
My brother is reasonably computer litterate and in no way stupid. Despite this, his Windows machine – equipped with virus protection, firewall and spyware scanners – is overrun with malware within months. He’s just your ordinary play games and surf the web kind of user. I think Windows is treating him quite harshly…
Also, a comment about Windows and multi user: Yes, Windows NT is designed with multi user in mind. However, most Windows software are not. And because of legacy support, Microsoft have chosen not to force user privilege dicipline on developers. The result is the security mess that is Windows today.
Culeless [sic] people with root password can do much more harm on Linux than they can imagine on Windows
This is a gross assumption. In general, KDM and GDM do not allow root to login into a desktop. Furthermore, with many linux distros, you can’t even login as root. You have to use sudo and enter the password everytime you want to do something as root. This is actually a very safe practice.
The worst practice is when you login into a gui with full permissions. Even MS recognizes this and is moving away from this practice.
>>”Linux systems have uptimes longer than that.”
>As long as they are not connected to the Internet. What are you, Linux marketing department material?
How does being connected to the internet have anything to do with Linux uptime?
True, you do have to reboot Linux when you upgrade the kernel. But the kernel is rarely patched compared to all the MS patches.
CPUguy: Windows is no less safe than Linux.
There is some merit to this argument because certain distributions come with Samba, SSH, NFS, and other servers running. If the distros turned everything off, Linux would actually be much more secure by default. Windows is swiss cheese, and the first thing you have to do is disable the network connection, disable all kinds of garbage like Dcom, and install a firewall to have any decent security.
Please, raise your hand if you’ve actually disabled Dcom.
Don’t get me wrong, Linux and Windows have their good and bad sides. Sound in Linux is terrible. Windows is a virus and spyware haven. You could have a useless back and forth argument all day.
But when it comes down to it, why would I pay $200 for an OS, and then another $100 to get office, then another $5-10 a month for security services? For a whole $0, I just switched to Kubuntu and everything just works. OpenOffice was free. All my old data, contacts, mail, everything — was ready for me to use.
Well I think people dont want to move from Windows cause Linux still seems klunky and it cant run games!! Thats what I have heard everyone say!! Hell @ UC Davis, where I just graduated from, we have excellent hacker style TAs who swear on MS!! Go figure! Not that I am slamming MS…much I mean I am an MS user myself and wont move to Linux unless I just want to check out Gentoo 2005.x and compile the OS from scratch and so on…but that is only for curiosity’s sake. I know how to lock down my XP and make it a lot more safer than regular XP installations so I am gonna be happy with it. I run my spyware stuff once a week and yes while that is kinda nuts compared to an OS which does not required the 3rd party software…I just run it for the definition updates. My current install after nLite has been going great for a while. I patch it whenever updates come out, I reboot only when I need to. My OS runs fine…no probs…I guess it is a matter of preference really. But damnit MS needs to make OneCare free. If they are truly worried about fixing their image they should make it free. SPyware malware and viruses are an issue every Windows user has to live with because of MS’s incompetent programmers…it only makes sense that to fix the OS the service has to be free.
OTOH I can see how the OneCare service can cause peoples computers to die…remember SP2? IF you had viruses and other malware already on your machine without your knolwedge and you tried to install SP2, good luck…shit would just freeze up!! With OneCare I think the same is going to happen!! It is unebelieveable as to the number of ignorant and retarded and oblivious Windows users that are out there thinking that their computer is ok…those people are the people giving all the Windows users a bad name. I think ISPs need to put a block on a machine that has spyware until it has been cleared out: plain and simple.
This I simply can’t believe.
1. A company makes a poor quality product then expects to be paid to make it better? And paid monthly forever?
2. If this subscription business doesn’t take off, MS will not put the resources behind it–e.g. virus signature updates within hours like the AV guys do.
3. If this subscription business does take off, MS will have incentive to keep Windows “out-of-the-box” porous/buggy/insecure as hell.
I simply find this whole thing amazing. Flabbergasting.
Why the heck do people support such an unethical company? Oh yeah, proprietary API’s and file formats.
Long term, MS is toast. Sooner or later someone will crack these few remaining secrets and the resentment will get higher and higher. Then there will be nothing MS can do to earn back the trust.
And that day cannot come soon enough.
“Just because an application is open source does not mean that spyware is not bundled with it”
Au contraire, yes it does. Most assuredly. If an application is open source, many thousands of qualified programmers other than the author have looked at it and vetted it. If those people use it, then it most assuredly contains no malware.
“are you going to go in and look at the code?”
I don’t have to – I just have to be assured that the code is open, and thousands of qualified people other than the authors have looked at it thoroughly, and they use it.
“Spyware has nothing to do with closed source applications, in fact, most spyware comes piggybacked on an install for another application.”
You left out one bit – it should read ‘most spyware comes piggybacked on an install for another closed source application”.
If it was an open source application, and the original author tried to put in some “fetch spyware” code – then that malware would either be simply rejected, or other people (other than the original author) would remove the malware parts (if it was BSD license or GPL) – so that they could use it without malware.
“You can not compare a car to an operating system.”
Sure I can. I just did.
“The insides of a car don’t have intellectual property that the manufacturer would like to protect”.
Actually, it does. The auto industry has just recently lost a case in the US because it tried to hide the meaning of diagnostic codes in order to create a lock-in of car repairers. The intent was you had to pay them or you wouldn’t be able to fix cars – the courts squashed it.
Now why can’t they do that for closed-source, I wonder?
“If a user is on Linux, they will know the root password because it IS their computer.”
Yes, in that context – but they won’t run as root. Many distributions will not even allow a graphical login as root. It is intended, and it is the default, that for normal use people will run as a user, and therefore be require to enter the root password any time something wants to futz with the machine configuration. This is straight away a giveaway that some pice of malware might be trying to get in.
“NT … wasn’t even a redesign of the old Windows. It was a completely new entity.”
Maybe, but it was designed for backward-compatibility with earlier Windows, which were single-user. NT uses the same API and ABI to maintain that backwards-compatibility – and that legacy breaks the whole purpose of multi-user. To this day, most users have to run as root in order to even be able to use Windows for normal day-to-day operations. This is bad for security – very, very bad.
“ActiveX is NOT part of the kernel (and neither is IE).”
Not strictly part of the kernel I agree, but according to Microsoft themselves they both are an irremoveable part of the Windows core. Just try to de-install either one.
“And whether you would like to believe it or not, there are viruses that run on Linux. ”
I never claimed there were not – I just claimed that no viruses are open source.
Please try to argue what is actually said, a not sill strawman arguements.
“Windows is no less safe than Linux.”
Pfft. And I can fly to Jupiter – I have a house there you know.
“They all have subscription models that you have to purchase to keep your virus defs up to date. Just because you can get a GPL application to do this for free makes this evil? ”
No, of course not. What is eveil is that the companies claim copyright on code (as is perfectly fine) but then they don’t publish the code. If I write a book or make some music and claim copyright on my work – I publish my work. That is the idea – I publish my work, everyone gets to read/hear/see it, but I still own it. Some software vendors don’t publish. That means they have an opportunity to hide away shoddy work or kludges or “call home” spyware or DRM or other stuff that deprives end users of rights.
Why are software vendors the only people to enjoy copyright protections on unpublished works?
“Culeless people with root password can do much more harm on Linux than they can imagine on Windows.”
Amongst the fifty or so inane things you have said on this thread, this is one of the more clueless.
Most Linux distributions will not allow a root login for the desktop. Most “clueless people” won’t go near a console. If a “clueless person” installs Linux and keeps a separate root account and user account – then he or she must log in using the root account.
If that person then goes to the GUI menus to “install software” – they will be asked to enter the root password but all that they will then be able to install is applications from the distributions repositories – which are all open source.
No spyware. No viruses. No damge possible.
Should have read “If a “clueless person” installs Linux and keeps a separate root account and user account – then he or she must log in using the non-root (or normal user) account.
“As long as they are not connected to the Internet.”
No, you have got this confused with Linux machines.
Also, I did overstretch one point – it is possible to keep Windows machines going without catching malware, as I do this myself.
At home I am sometimes required to use Access Databases from my work, and my wife (a teacher) uses a grades program that runs only on Windows. So I make all of my mchines dual-boot, and I keep one old 399Mhz Celeron with Linux only. The old machine runs Linux and guarddog firewall and privoxy filtering proxy server. All machines are networked through a Linksys wireless router which in turn connects to the ADSL modem. I do not use DHCP, and there is a range of IP addresses set in the router which block access to the internet.
So when a machine boots Linux it has an IP address which lets it connect to the internet. When a machine boots Windows it is assigned an IP address that means it is blocked from the internet. Media Player, Outlook and IE cannot see the internet connection at all.
I then load firefox on to the Windows machines and I tell firefox (and only firefox) the address and port of the privoxy proxy on the Linux Celeron.
This lets me get around the fact that I cannot de-install the security headaches of Windows – no part of Windows including IE, Outlook or Media Player (or even MSN messenger for that matter) can even see an internet connection.
In this way, I am able to keep the Windows machines clean – yet there is still a functional web browser on the systems.
Russian Guy: I must be Jesus because according to you I do miracles that can not be done.
<chuckles> I must be too. One Windows machine I setup has been running for about 10 years without any problems. (including no reinstallations or upgrades) Still runs like the day I set it up. And it’s used on a daily basis.
And all I can ever find that’s “negative” on my other Windows computers here are cookies.
Windows has it’s problems for sure. But you have to love how some people exaggerate. In fact, I’d say most of the problems are the people who set them up. For example, all the computers I setup so that the users don’t use (or sometimes even can’t use since I don’t give some of them the passwords) the administrator account. But all the software runs fine. You just have to setup the permissions correctly and alot of programs don’t even need that.
I could go on, but I have more important stuff to do this weekend. This is a funny thread though.
Speaking of funny reads, here are a few gems you might recognize:
“Au contraire, yes it does. Most assuredly. If an application is open source, many thousands of qualified programmers other than the author have looked at it and vetted it. If those people use it, then it most assuredly contains no malware.”
I found the immense leap-of-faith that “open-source” somehow mandates the conclusion that thousands of eyes are looking/testing out a piece of software to be completely hilarious. You have no proof of that this is true. At the very best one could claim most large open source projects get this kind of review.
“Yes, in that context – but they won’t run as root. Many distributions will not even allow a graphical login as root. It is intended, and it is the default, that for normal use people will run as a user, and therefore be require to enter the root password any time something wants to futz with the machine configuration. This is straight away a giveaway that some pice of malware might be trying to get in.”
Once again naivety abounds; you are speaking about the same users that when polled will give away their computer passwords for a chocolate bar cited in those surveys on the register? If you ever have any room in your fantasy land where everyone is computer savvy and has the inclination to care what they are giving permissions I’d love to join in.
“Not strictly part of the kernel I agree, but according to Microsoft themselves they both are an irremoveable part of the Windows core. Just try to de-install either one.”
http://nuhi.msfn.org/nlite.html
Know yourself out… Its a very effective tool for removing windows components and creating your own installation CD. If you’re going to post, you might as well post about things you know about; obviously its not what is and is not removable in Windows.
“On Windows systems, many other users also require Admin rights in order to be able to run the applications they need.”
This is cute.
Have you stopped for even a second to think about where the blame should be placed for this? (I’ll give you a hint – not Microsoft.) How about something even simpler; what “admin rights” do these programs need? I’ve seen plenty of these so called “needs admin rights” programs that just want write access to the directory they are installed to. Thats certainly not “requires” admin rights material.
So why do people say they need admin rights? People are lazy. They’d rather have an admin account than play with filesystem permissions so that a poorly designed application works correctly. This is how most users act while simultaneously saying windows is insecure, blah, blah, blah. I have little doubt that taking short cuts, and finding ways around “security annoyances” is exactly how those same users would behave if they were using linux.
“I found the immense leap-of-faith that “open-source” somehow mandates the conclusion that thousands of eyes are looking/testing out a piece of software to be completely hilarious. You have no proof of that this is true. At the very best one could claim most large open source projects get this kind of review. ”
I laugh at your lack of imagination. There are 17007 appliactions in the Debian repositories, and 22,000-odd open source applications available on Sourceforge. That is a huge multitude of programmers right there, to create that lot. All of them can look at each-others code. If an item is in the Debian repositories – it has been thouroughly tested and vetted – no question.
There is absolutely no doubt whatsoever that if an application is in the Debian (or other Linux) repositories it is open-source and it contains no malware code. Guaranteed. Nothing surer.
“Once again naivety abounds; you are speaking about the same users that when polled will give away their computer passwords for a chocolate bar cited in those surveys on the register? If you ever have any room in your fantasy land where everyone is computer savvy and has the inclination to care what they are giving permissions I’d love to join in.”
What the hell is wrong with you? This gies against my very premise in the first place. Perhaps I should re-state it for you since you have lost track of what you argue against. What I **SAID** was that if people constrained themselves to install only open-source applications, then they can easily guarantee a system without spyware or viruses. This says nothing on how people actually behave – it says only that there is a simple method whereby anyone can assure themselves of keeping a clean system if they follow it.
Just install only open-source applications. Get them exclusively from the repository of the Linux vendor is one easy way to do that. If one follows this simple policy, then they will have no viruses or spyware. Guaranteed.
If one strays from that policy and install any closed-source applications (or indeed closed-source Operating Systems in the first place) – then there is no such guarantee.
Where in any of this did I come anywhere close to what you imply I said with your drivel about the cluelessness of some users?
I call strawman arguement **AGAIN**. Yopu Windows fanboys sure are fond of arguing against something the other guy never said, aren’t you?
“Have you stopped for even a second to think about where the blame should be placed for this? (I’ll give you a hint – not Microsoft.)”
Not so. Microsoft made a single-user system to begin with (MSDOS, Windows 3.1, Windows 95, Windows 98 and Windows ME) – and all the application interfaces (the API’s and ABI’s) and the original filesystems (FAT16, FAT32) were designed without any notion of file permissions. In order to support legacy applications, security is still broken on Windows systems to this day. This is 100% wholly and utterly Microsoft’s fault. You can still (for eample) install an application on a FAT32 filesystem so that it has no associated permissions – and Windows will happily try to execute it as long as it has an “.exe” extension. This is just one thing amongst a huge number that is totally borked in Windows with regard to security. It is Microsoft OS that started out without security, not the applications written for it.
“If you’re going to post, you might as well post about things you know about; obviously its not what is and is not removable in Windows.”
Removing IE and Media Player from Windows is a very involved and complex task, and even if you were to use some obscure tool to do it there is no telling what else you will break.
Microsoft themselves attest to this, in court, under oath. Yet I am supposed to believe Vince instead?
Pfft.
“They’d rather have an admin account than play with filesystem permissions so that a poorly designed application works correctly.”
On Windows, yes.
On Linux systems, if it is open source and one cannot run it as a normal user (after having installed it as root) – then it won’t get into the repositories. It would be broken. If the original author won’t fix it, then another programeer might – and only then would it get to be released into the repositories.
This is not to say that there aren’t malware or broken applications out there. There are. They just won’t be in the repositories.
So if you have a policy to install stuff only open-source from your Linux distribution’s repositorie – you won’t go wrong. No spyware and no viruses and no malware ever. Easy peasy. No virus checking required, either.
If you install stuff from elsewhere (including if your e-mail or brwoser program asks you), or if you install any closed-source stuff, then you could have trouble.
Is it just me, but when I’m trying to troubleshoot somebody elses code I find it to be such a major pain. I get paid to do this and trawling through pages and pages of code to find a bug I know exists is not my idea of fun. But it’s a living.
Are the people on this forum really suggesting that there are thousands of programmers doing this for fun for Open Source software on the off chance they might find something. Now that’s dedication. Just think of the hours these guys must be putting in to read somebody elses code. Not just read it but analyse it thouroughly to make sure that no bugs exist. These guys must get paid a fortune to do work like that.
I don’t know about thousands of people searching through someone elses’s code that they have no interest in.
Surely however they would scan through someone elses code that they wanted to use themselves. At the very least to make sure there were no “calls home” or other types of malware or spyware in the code.
There are many, many thousands of contributers to Open Source. These people are also the users of Open Source.
I’m 100% certain they have no wish to inflict malware on themselves. That would make no sense whatsoever.
Also to consider – what would be the repuation of anyone who tried to submit open source code with malware in it? AFAIK this has happened just once in the history of Open Source, that was spotted in the first rounds of review and the code in question was never released – and of course there has been no code accepted from that party ever since.
You’re somewhat naïve.
Yes, there’s lot of OSS code, constantly watched/checked against problems, like linux kernel or bsd base system. Yes, there’re lot of small well maintained applications, where introducing even few lines of incorrect code is clearly visible for code maintainer.
But take some other big-scale project, like OpenOffice.org. Just recently they cried about lack of developers – there are about 60-70 developers for OOo; other people just cannot effectively contribute – amount of code is too big. And you’re talking about thousands eyes – nonsense. Of course OOo is not best example – it’s half-commercial, Sun 50 devs probably track commits and do not let bad code in so easily.
Same for Firefox – why has code quality decreased? Need for features overweights need for quality code. I have no data about how many active developers Firefox has; somewhere I heard number 6, from these 4 were not enough active… I can be wrong, correct me, if you find other numbers.
You tell that OSS contributors are not interested in including spyware into their product. Of course they are not, but once some software piece (especially browser, but not only) gains enough big market share, there pop up other groups of “developers”, who will paid enough for infecting this software. At some level commercialization takes over – and bye-bye all your illusions about open source.
“I laugh at your lack of imagination. There are 17007 appliactions in the Debian repositories, and 22,000-odd open source applications available on Sourceforge. That is a huge multitude of programmers right there, to create that lot. All of them can look at each-others code. If an item is in the Debian repositories – it has been thouroughly tested and vetted – no question.
There is absolutely no doubt whatsoever that if an application is in the Debian (or other Linux) repositories it is open-source and it contains no malware code. Guaranteed. Nothing surer.”
This isn’t a logical conclusion. All you’ve said is developers and third parties CAN look at each others code on places like sourceforge. You have no proof they actually do this. None. Nothing of substance. So if you’d like to talk about strawman arguments you might look at your own. What is even more laughable however is your unfounded believe that all the other people actually look through the code before they use it, when you yourself are too lazy and just blindly trust that its safe.
“Microsoft themselves attest to this, in court, under oath. Yet I am supposed to believe Vince instead?
Pfft.”
No I don’t expect you to believe my word alone, hence why I provided a link to a that piece of software, along with its avaliable source code, the developers email, and an active forum of people who are using the software. Which is a stark contrast to your arguments which amount to little more than completely unsubstantiated open-source hubris. If you’ve got something in the way of proof; other than your “I’m too lazy but I’m sure other people look at it because its an option” mantra your welcome to post it. (As the this little saying of yours it getting quite tired.)
As for that little diatribe you went on about installing on FAT. Windows does not use FAT as a default file system and has not for about half a decade. I know it might be hard to grasp but you’d have to purposely make a FAT partition and install applications on it to have the kind of “insecurity” your talking about. Oddly enough, its the same case with linux, who support accessing FAT partitions as well. In essence like most of what you’ve said – its all shouting at the rain with no real point.
(My work is pretty well done. So I decided to come back and say a few words.)
mark: Surely however they would scan through someone elses code that they wanted to use themselves. At the very least to make sure there were no “calls home” or other types of malware or spyware in the code.
As a developer who knows other developers (Granted I’m primarily a graduate student, but still) I can tell you that I (and the people I know) do not have the time to look through all the programs we use. Sometimes there isn’t even time to look through the source code that my source code is going to be linked with. Even when people do look at other people’s source code problems are not immediately evident. As Micko said:
Micko: Is it just me, but when I’m trying to troubleshoot somebody elses code I find it to be such a major pain.
Why is there no time? Simple, I have my own project(s) and my own deadlines. If I took the time to look through every scrap of source code checking for problems, I’d never get done.
mark: There are many, many thousands of contributers to Open Source. These people are also the users of Open Source.
True, but each project does not have “thousands” of contributors. A number of projects are in fact short on the number of people they need or could use. Like DonQ mentioned OpenOffice.org.
mark: Also to consider – what would be the repuation of anyone who tried to submit open source code with malware in it? AFAIK this has happened just once in the history of Open Source, that was spotted in the first rounds of review and the code in question was never released – and of course there has been no code accepted from that party ever since.
I’m not familiar with that particular incident. But one thing I do know is, that you would have to be stupid to make any “hostile code” stand out. For example, you wouldn’t want to comment it or create function names like PilferedData or what have you. Instead, you would attempt to “blend it into the background”. Make it an intentional bug. A bug with a purpose.
I don’t know how easily this could be done or what type of damage you could do. But I know it can be done. I also know that these type of things would have a good chance of slipping through. After all open source programs are not bug free. Even if one or more don’t slip through, it is unlikely to damage your reputation since if it is done right, it will be difficult to impossible to even guess (nevermind proving) that the bug was intentional and so you can always try again another day.
As far as closed source apps go, there are plenty of ways to take care of them if you don’t trust ’em, it’s just that most people don’t bother. Just like alot of people don’t bother to go through the source code of open source programs.
mark: … are just a few places amongst hundreds that show the on-going evaluations made concerning code submitted as potential open source software.
1) And all examples you gave are LARGE PROJECTS exactly what someone else said. Many projects are much smaller.
2) None of the websites mentioned have any statistics as to how many people actually review the source, therefore they do not support your claim anyway. (The only one that’s anywhere close is http://www.kernel-traffic.org/ But I still did not see any statistics there. Of course, I could have missed them. But that particular website only seemed to have some statistics for contributors to the website. Which was fairly high 1824 contributors. But… “Barely thousands” in fact it doesn’t even make 2,000.)
3) One website you mentioned makes absolutely no mention of any kind of evaluation. (http://www.debian.org/social_contract) Granted, I could have missed it. However, it does state that software that does not meet their criteria is still available for download, it just isn’t officially part of the Debian system.
4) One of the websites even goes against your whole argument. (http://www.gnu.org/help/evaluation.html)
I suggest you actually read what you post as examples. For example, with the GNU website it basicly mentions that you “need not be an expert, you need not compile, you need not run, etc…” (Not a direct quote, but that’s basicly what it says) What is important is “Timeliness is of the utmost importance in doing an evaluation.” (That is a direct quote) Meaning they do not gain a complete understanding of the program. Also, “We can always use additional volunteers to commit to helping evaluate the software we are offered through the procedures above.” (Also a direct quote) Which indicates they can always use more evaluators. This does not mean that they are nessecarily short, but… As I’ve stated before most people I know are doing their own thing.
You really should post better URLs for supporting your arguments.
You don’t seem to grasp that while some evaluation of code is in fact done, it is not “thousands” of skilled evaluations for every open source project like you originally stated.
For the very largest projects that is quite possibly true. I would have no statistics for those nor do I worry about them. (I’m just a user for those projects. I’m too busy with my own stuff to worry.) But I would imagine they get quite a bit of review. (Though I do have to wonder about the “thousands” part even then.)
Also… Sometimes it takes awhile even for people who are official members of a project to get around to reviewing code. I know this from experience. One of my projects sat for weeks without review by my team mates while they were busy doing other things and they had an active interest in my part working correctly.
Also… Having worked on some websites in the past, I doubt it would have gotten much review if I had placed the code up on a website. In fact, it’s quite possible it would have had zero review in all that time.
I also know a number of big fans of open source (I use a number of open source programs, but I’m not a “fan” really) and to my knowledge they have done zero reviewing of other people’s code besides what they’ve “had” to review.
Alot of people really couldn’t care less about other people’s projects. It’s normal. I suggest you actually go around and check out all the “dead” projects. Some of them are actually quite interesting/useful, but they’re incomplete and no one has bothered to pick them. If people are so into reviewing other people’s code, they can also easily help out a dead project a little.
My question to you is have you reviewed anyone else’s code? If so, would you say that you had a VERY solid understanding of everything it did? Would you say that you would be able to find problems with the code?
Dont tell me you dont trust the source code in any closed source product like ones from Norton,Adobe,Ahead,Microsoft and the like or even small apps like the free ones from download.com . They are not open source but they are free and are tested to be spyware free (adware doesnt count). They are pretty much as usable as the OSS apps from the GNU project and(REPEAT)are equally as safe and secure. So hwy are you making this hype about Open source you are acting like a troll (an OSS troll). I personally use free apps on a legal version of Windows. I use both OSS and CSS side by side and I see both of them are good enough to be used.
As I say, you can lead a horse to water, but you cannot make them drink.
Norton is OK but expensive for what it does (and all it provides you in the end is to make up for Microsoft deficiencies), Adobe contains advertising (and of late I prefer kpdf in KDE 3.4), Ahead was at one time a good product but is behind K3B lately, Microsoft has ‘call home” spyware, it assumes that users are criminal (CD keys and product activation), it rats on users, and Microsoft has DRM and other lock-in. Lately Microsoft has made attempts to force people into a subscription model – “software for rent” just keep on paying and paying. Thanks, but no thanks.
Microsoft could very easily port their Offic suite to run on Linux, or it could make Office support the new OASIS standard, but it does neither to support its own lock-in. The more Microsoft tries to lock people in, the less I (for one) am inclined to use it.
All of this opposed to people who are prepared to offer you the code for free, who support open standards and who collaborate to continuously improve their product.
The only thing I can put it down to is either (a) people just can’t believe how good a deal they get with the FOSS compared with proprietary software, or (b) people are thouroughly stupid and believe the self-serving rubbish and utter bull**** that Microsoft sprouts at them such as “our expensive products cost you less than free” and other “big lie” statements they make.
Honestly – I don’t mean to hype you. I have nothing to sell. I aren’t after your $$$, or your time or anything at all. I am a very experienced systems engineer, and I can filter out marketing spin, and I know the good oil when I see it.
I am just trying to tell people what the good oil is. I fell like shaking people sometimes when they can’t or won’t see where they are better off.
But, at the end of the day, it really isn’t much skin off my nose. I guess you bozos can take it or leave it as you please – I can’t make you see sense, God knows I’ve tried.
The only thing is with all your pandering to your apparent Lords & Master in big American corporations there is a chance you could marginalise or freeze out open source, or God forbid all your bought & paid for politicians to make FOSS illegal in America.
FOSS would contine elsewhere, but then there is a danger of FOSS being ever less able to interoperate with Microsoft products as Microsoft move more & more towards lock-in of their customers and lock-out of everone else.
This is what I work against, I suppose. At least I try.
“adware doesnt count”.
Yes, it does. I very much resent an advertiser using my equipment and my paid-for bandwith to advertise their product uninvited on my machine. I consider this a trespass.
I will not support anyone who tries to rip me off in such a fashion. I would sue them instead for mail fraud if I thought I had half a chance.
I have been running Windows XP for the last three years on various hardware and I have found freeware alternatives for all the apps that I use ( all of them free of spyware and adware ) except for Nero 6.6 Ultra ( I love this app ) and I feel as productiveas I would be in a complete FOSS solution. Once you own a legal version of Windows there is an alternative for every type of app. Well if you really want to keep spyware/adware/viruses from executing you can change your user type to a customised one with very specific user rights and local security policy and you can avert a major virus attack. If you are less lazy and dont leave evry little thing on the OS (like managing your user rights) and if you care to read through a review of any free/propietrary software you download you can certify it as spyware/adware free. And get my word there is an alternative for every type of app there that is free CSS or OSS.
mark: <clip> All of this opposed to people who are prepared to offer you the code for free, who support open standards and who collaborate to continuously improve their product. <clip>
Your best argument thus far in the whole thread. When you severely exaggerate, it does not help your cause. When you insult people like so:
mark: As I say, you can lead a horse to water, but you cannot make them drink.
It does not help your cause.
Arguments like your other ones only make people laugh. Kind of like this one student I used to know at a university who would stand up and make some exaggerated statement about open source in the middle of class every so often. Do you think he won any converts? No. How about the few people who wrote essays about open source when they were supposed to be writing about something else? No.
And did the thought occur to you that some of us are supporters of Open Source (to some extent) we just feel that your statements were total exaggerations? (I personally feel both Open Source and Closed Source have their places.)
I myself have been using Linux, gcc, etc. for about (what was it?) 10 years. I use whatever software I happen to feel like using.
Anyway… I need to get back to work again.
(I found out someone sent me a response that was moderated down. I heard it was quickie, so I came back to respond to it.)
mark: My question for you is how many times does anyone get to review all of the code of any alternative systems?
Linux = OK.
BSD = OK.
Open Source applications for either of the above – OK.
Anything else = hidden (or at least critical bits are).
First off all. There are other open source operating systems. Like AtheOS. Second of all, “closed source programs” aren’t always completely “closed source.” Sometimes it is possible to get the source code for review or other special cases. Also, some “closed source programs” are in fact “open source” but don’t fit the official definition, because they have a SLIGHTLY unusual license. (Like one of the old programming libraries I used to use under DOS.)
Also… With closed source programs, you can actually extract some to alot of source code, if you are willing to use the correct tools. For example, with Java programs you can use Reflection to get an idea of how the program works. There are also decompilers and disassemblers for different platforms. You can also use various tools to monitor a program as it runs to determine what it is actually doing as it does it. While that does not give you the source code, it does tell you what the program does. And what it does is the critical bits.
In fact, if you have actually reviewed other people’s source code “countless times” you would know that sometimes determining what a program does from the source code is sometimes much harder than just running it and “observing it” as it runs.
Granted… I am not familiar with all the latest tools that do these things. (I used a number of these things years ago afterall, but I’m sure they still exist. Why would they get rid of ’em?) But I use Reflection today. And I vaguely recall someone mentioning one or more tools like these a few months ago here on OSNews, along with actual URLs to go get them. And I know that there are actually some tools for the home user that do some of these things. (Like the Norton Firewall which tells you when a program is trying to access to the internet. I think that might be kind of important for pilfering data from your computer and sending it to someone else, don’t you think? Granted it’s not perfect but it is similar to the type of tools I’m talking about.) I also know some students who are developing some versions of said tools, so I know some people are still working on them.
As I said… I’m not familiar with the latest ones, because I don’t use them anymore. Otherwise I’d give you the URLs.
Also… There are always “patches” coming out for various closed source programs from sources other than the original producer. I don’t actively participate in those things (since most of them are “patches” to make a program lose it’s copy protection) but I have seen them and I used to use a few on occasion. (Like there was one that made Master of Magic multiplayer. I used to use ones like that. I wonder if it’s still available on the internet anyway…) If it’s impossible to figure out how closed source programs work, then how can 3rd parties produce these things?
As I said before… Back to work. I won’t be returning for another round of this in this thread, particularly since you offer me no new info and are so insulting, when I’ve tried to be (reasonably) polite to you.
Yes you can get it, no doubt. I guess the problem here is only that it is “on Windows” in the first place – and Windows is so easily compromised through fundamental design flaws and its attempt to retain compatibility to legacy applications written for a time when Windows had no security at all.
I am an engineer, and believe me when I tell you Windows itself is fundamentally flawed. It is no good at all in an environment where other parties with dishonourable intent can access your equipment in any way.
Sorry but I don’t mean to be rude or insulting … but please try to get this from my point of view. I have approximately 25 years experience spread approximately equally between hardware and software engineering design – and I have designed systems that contain collections of upwards of 25 co-operating computers – systems more complex than aircraft.
I had a perfectly valid point to make and a desire to help people who might be concerned about security on their systems. On this thread I have been called naieve and ignorant by various posters who simply do not know of what they speak … and a few times there have been posters shouting angry arguements back about things I simply did not claim. It is like a professor getting howled at by his class of freshmen.
Sorry if you came in late and got a bit of short shrift.