Hi, 11 avr. 2020 à 19:48 de scdbac...@gmx.net:
> l0f...@tuta.io wrote: > >> I don't really >> think Linux is intrinsically more secure than Windows nowadays (a >> vulnerability remains as such) but I really think Linux ecosystem is. >> > This might be a merciful misperception. To my theory, free virus producers > are just much better programmers than those of MS-Windows malware. > > "When you do things right, people won’t be sure you’ve done anything > at all." - Futurama > Could you explain that please? 12 avr. 2020 à 00:01 de j...@jretrading.com: > (Most) Linux users are horrified by the thought of surfing the Web with > root privileges, most Windows users are not even aware that their > computers can be run at one of two privilege levels (many more with the > business/professional versions). > Yes, and if they are aware of that, they tend to think more is better. Least privilege in security is a leading principle but for the average person it's just seen as useless/unfair restrictions. People may feel less powerful and don't understand why they don't have full permissions. 12 avr. 2020 à 08:52 de andreimpope...@gmail.com: > On Sb, 11 apr 20, 19:06:59, > l0f...@tuta.io> wrote: > >> * Most softwares are downloaded through official preconfigured >> repositories. Users are less prone to download malware on suspicions >> websites >> > There are sufficient tutorials advising to download random scripts and > run with root privileges. > >> * Updates are easier as well because tracked/centralized through >> repositories themselves for the most part. On Windows you need to >> check Windows Update + Windows Store + each application individually >> > Would be the same on Debian if you chose to install additional software > with some other package manager and debs downloaded from whatever > website. > Yes, of course, you're right. That is why I used "most" 2 times ;) Indeed, users are free to go off-piste. >> * Open source is more common on Linux (community-based) than Windows >> (money-based) so theoretically anyone competent enough could view the >> source by oneself and spot a malovelent behavior (/!\ in practice this >> is not so easy, see what happened with OpenSSL / HeartBleed) >> > You probably mean Linus's law[2]. Unfortunately the reverse is true as > well: without sufficient eyeballs there will be many bugs. > Thanks, I didn't know about this designation. 12 avr. 2020 à 18:25 de cele...@gmail.com: > On Sun, 12 Apr 2020 17:41:54 +0200 > <> to...@tuxteam.de> > wrote: > >> Trust is a complex beast. At its bottom it can't be completely >> rational, but usually you trust a community because you somehow >> think you understand how it works and you trust the information >> chain linking you to that community. >> > Exactly. So if I trust the Sandstorm community (for example - I know > nothing about them), then I'm not sure that there's any particularly > great risk in installing their product via "curl | bash", and if I > don't trust them, I shouldn't install their product via any other > mechanism either. > Yes, this is the basics. But you can encounter dangerous situations later that can easily jeopardize your initial trust, e.g: owner's change. A black hat can register some expired/deleted legitimate resources (website, account) and start serving malware instead while current users are not aware... Tomas has mentioned another variant with event-stream where a volonteer (but ultimately malevolent) person simply asked to take over the maintenance. So I would say that trust is a perpetual exercise. Best regards, l0f4r0
