Active Topics

 


Page 5 of 9 « First 34 5 67 Last »
Reply
Thread Tools
kinggo's Avatar
kinggo is offline kinggo
2018-05-05 , 14:48
Posts: 943 | Thanked: 3,228 times | Joined on Jun 2010 @ Zagreb
#41
Originally Posted by juiceme View Post

The only possible safe way is that the service provider publishes a sane API and the applications using it are provided in source form to be compiled by oneself. Binary distribution can be allowed if the sources are available and mechanism for reproducible build verification exists.
sorry, but how is that better for ~98% of the people who doesn't know anything about coding? I mean, I do know how to compile some basic stuff on linux, use AUR or svn or git...... But I still have to trust that source the same way I trust precompiled binary.
 

The Following 7 Users Say Thank You to kinggo For This Useful Post:
pichlo's Avatar
pichlo is offline pichlo
2018-05-05 , 17:15
Posts: 6,445 | Thanked: 20,981 times | Joined on Sep 2012 @ UK
#42
Originally Posted by kinggo View Post
sorry, but how is that better for ~98% of the people who doesn't know anything about coding? I mean, I do know how to compile some basic stuff on linux, use AUR or svn or git...... But I still have to trust that source the same way I trust precompiled binary.
Exactly! Forget the 98℅, published sources hardly help even the expert programmers. Who on earth has the time or expertise to review 5 million lines of code?

Having said that, I agree with juiceme on one point. I don't really care about the application being provided in source or binary, but the API should definitely be open and public. Otherwise you never know what even the intention is, let alone the implementation.
__________________
Русский военный корабль, иди нахуй!
 

The Following 6 Users Say Thank You to pichlo For This Useful Post:
pichlo's Avatar
pichlo is offline pichlo
2018-05-05 , 17:21
Posts: 6,445 | Thanked: 20,981 times | Joined on Sep 2012 @ UK
#43
Originally Posted by juiceme View Post
If you install any random binary-only application to your device you will grant it at least user-level system access to your device, in some cases even root-level access. (and for most systems it is enough to have user-level access as there are new privilige escalation holes all the time...)
That is a very old skool way of thinking. No one gives a damn about root any more, especially on a mobile device. User level is where all the important stuff is: your address books, your emails, your login details to various services including online banking... What can root give you on top of that? Install a new driver? So what?
__________________
Русский военный корабль, иди нахуй!
 

The Following 4 Users Say Thank You to pichlo For This Useful Post:
nthn's Avatar
nthn is offline nthn
2018-05-05 , 17:43
Posts: 764 | Thanked: 2,888 times | Joined on Jun 2014
#44
Originally Posted by kinggo View Post
sorry, but how is that better for ~98% of the people who doesn't know anything about coding? I mean, I do know how to compile some basic stuff on linux, use AUR or svn or git...... But I still have to trust that source the same way I trust precompiled binary.
You could say the same thing about ingredient lists or expiry dates on food items, they only show what should be in there, but still someone might have poisoned your cookies. It's reasonable to assume that there are no real lies on the package, that your cookies will contain exactly and only those things listed in the ingredients and that they didn't expire five years ago. This doesn't prevent the cookie company from telling any lies (companies being called to court for false advertising is not uncommon), but it creates some trust that otherwise wouldn't have been there. I don't extensively read the ingredients on my cookies, but knowing they're there sufficiently satisfies my curiosity (side note: I'm thinking interpassivity may be at play here) and I don't think I would have bought them if there were no ingredients listed at all. Of course, this in itself doesn't explain why I would eat anything at a restaurant or at a friend's place, because usually the ingredients of the food aren't listed there.
 

The Following 9 Users Say Thank You to nthn For This Useful Post:
nthn's Avatar
nthn is offline nthn
2018-05-05 , 17:49
Posts: 764 | Thanked: 2,888 times | Joined on Jun 2014
#45
Originally Posted by pichlo View Post
That is a very old skool way of thinking. No one gives a damn about root any more, especially on a mobile device. User level is where all the important stuff is: your address books, your emails, your login details to various services including online banking... What can root give you on top of that? Install a new driver? So what?
I agree, but I think root access is still relevant for installing hidden Bitcoin miners or DDoS applications and such, so situations where the attacker is not interested in data, only money or whatever the intentions behind DDoS attacks are.
 

The Following 5 Users Say Thank You to nthn For This Useful Post:
pichlo's Avatar
pichlo is offline pichlo
2018-05-05 , 17:52
Posts: 6,445 | Thanked: 20,981 times | Joined on Sep 2012 @ UK
#46
@nthn, I agree, although if I get it right, you compare published ingredients to published code. I would compare them to a published interface. A published code would be an equipment to a full recipe, including the order of adding the ingredients and cooking times. You get basic nutrition information (API) on most food packages but the exact recipes (source code) are usually a trade secret.
__________________
Русский военный корабль, иди нахуй!
 

The Following 4 Users Say Thank You to pichlo For This Useful Post:
nieldk is offline nieldk
2018-05-05 , 17:53
Posts: 1,288 | Thanked: 4,316 times | Joined on Oct 2014
#47
Originally Posted by nthn View Post
I agree, but I think root access is still relevant for installing hidden Bitcoin miners or DDoS applications and such, so situations where the attacker is not interested in data, only money or whatever the intentions behind DDoS attacks are.
for bitcoin miners, really, you dont need root.

as for the open source part mentioned by @juiceme - i agree with juiceme. Without sources its damn difficult to figure out watch going on. Sure, ordinairy users dont care probably. But having the sources is way more easy auditing. Its old-school, but damn right necessary.
__________________
You can still support my work by donation - click here
 

The Following 9 Users Say Thank You to nieldk For This Useful Post:
pichlo's Avatar
pichlo is offline pichlo
2018-05-05 , 17:57
Posts: 6,445 | Thanked: 20,981 times | Joined on Sep 2012 @ UK
#48
Originally Posted by nthn View Post
I agree, but I think root access is still relevant for installing hidden Bitcoin miners or DDoS applications and such, so situations where the attacker is not interested in data, only money or whatever the intentions behind DDoS attacks are.
It is also relevant on servers that store personal data of thousands of users. Root will give you access to other users' data. I believe this is where juiceme was coming from, which is why I emphasised mobile devices. You raise and interesting point, though I am not sure how relevant bitcoin mining is on mobiles.
__________________
Русский военный корабль, иди нахуй!
 

The Following 5 Users Say Thank You to pichlo For This Useful Post:
nthn's Avatar
nthn is offline nthn
2018-05-05 , 18:07
Posts: 764 | Thanked: 2,888 times | Joined on Jun 2014
#49
Originally Posted by pichlo View Post
I am not sure how relevant bitcoin mining is on mobiles.
I'd say every bit helps.

It is actually a problem, though.
 

The Following 4 Users Say Thank You to nthn For This Useful Post:
kinggo's Avatar
kinggo is offline kinggo
2018-05-05 , 18:25
Posts: 943 | Thanked: 3,228 times | Joined on Jun 2010 @ Zagreb
#50
Originally Posted by nthn View Post
You could say the same thing about ingredient lists or expiry dates on food items, they only show what should be in there, but still someone might have poisoned your cookies. It's reasonable to assume that there are no real lies on the package, that your cookies will contain exactly and only those things listed in the ingredients and that they didn't expire five years ago. This doesn't prevent the cookie company from telling any lies (companies being called to court for false advertising is not uncommon), but it creates some trust that otherwise wouldn't have been there. I don't extensively read the ingredients on my cookies, but knowing they're there sufficiently satisfies my curiosity (side note: I'm thinking interpassivity may be at play here) and I don't think I would have bought them if there were no ingredients listed at all. Of course, this in itself doesn't explain why I would eat anything at a restaurant or at a friend's place, because usually the ingredients of the food aren't listed there.
while all that might be true, an Average Joe will know the difference between banana or strawberry flavour on the very first bite. With codes...... not so much.
In so many situations we just have to trust the other party first and then time will tell....
But what really surprise me is that even with every bit of code open and with unhackable encryption you are still at mercy of your service provider or government because they can shut your service down or block acces. And even if you would want to build alternative infrastructure, you can't because all that is or needs to be regulated by the state.
At the end, it's jut the question of who do you trust more with your data. App developer, HW manufacturer, service provider, your govenment....... or when your ex hits you with revenge porn Because in the end even the person from the other side of that encrypted something can betray your trust.
 

The Following 7 Users Say Thank You to kinggo For This Useful Post:
Reply
Page 5 of 9 « First 34 5 67 Last »

« Previous Thread | Next Thread »

 
Forum Jump


All times are GMT. The time now is 13:32.

Contact Us - Home - Archive - Top