Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

How much do you trust Debian?

Off-Topic discussions about science, technology, and non Debian specific topics.
Message
Author
User avatar
NFT5
df -h | grep > 20TiB
df -h | grep > 20TiB
Posts: 597
Joined: 2014-10-10 11:38
Location: Canberra, Australia
Has thanked: 10 times
Been thanked: 43 times

Re: How much do you trust Debian?

#61 Post by NFT5 »

Marie SWE wrote: 2022-03-19 22:38 or some ransomware, then it can't send data or spread in the network as that program doesn't have an applied outbound rule.
I don't believe a firewall will stop ramsomware infecting the LAN. But your other comments about users being the weakest point are quite true. There is no doubt in my mind that all the backing up that I've set up to happen automatically is to guard against my stupidity more than anything else.

But, do I trust Debian? In terms of individual developers, generally yes. That said, I have some concerns about individuals in "management" positions.

Marie SWE
Posts: 241
Joined: 2021-04-06 22:14
Location: Sweden / Linköping
Has thanked: 7 times
Been thanked: 9 times

Re: How much do you trust Debian?

#62 Post by Marie SWE »

NFT5 wrote: 2022-03-23 01:57
Marie SWE wrote: 2022-03-19 22:38 or some ransomware, then it can't send data or spread in the network as that program doesn't have an applied outbound rule.
I don't believe a firewall will stop ramsomware infecting the LAN. But your other comments about users being the weakest point are quite true. There is no doubt in my mind that all the backing up that I've set up to happen automatically is to guard against my stupidity more than anything else.

But, do I trust Debian? In terms of individual developers, generally yes. That said, I have some concerns about individuals in "management" positions.
when wanacry was zeroday and it inflected one of my laptops(way before my linux switch), then my internal softwarefirewall(third party software) stopt it from spreading in my network and calling home. Even if a virus can rewrite or disable the firewall.. it's always one more defense to have.. and stoping software from calling home example evilgnome was a calling home software.
so true. :D and noobs is experts on doing stupid things.. I have crashed my debian update as one example of stupid thing. :lol: :mrgreen: :lol:

Edit
I forgot to response to your last sentence. :oops:
Okay. As I understand it, everything is open source (I am new to the linux sphere)
But since it is open source code, anyone who can programming can view the code and discover things, so the risk is too great for someone to do something stupid that can be traced back to the individual. So even if you may have concerns about "individuals in management positions". as you express, I think the risk is microscopic that it can have any impact on the whole thing. 8) So don't worry

English isn't my native lamguage, but i hope you understand wat I ment anyway.
Why make things complicated in life, if you can make it easier for yourself... Do it. ;o)
You only have one life, so make the most of it and enjoy it while you can.

Shamak
Posts: 147
Joined: 2018-04-14 00:33
Has thanked: 11 times
Been thanked: 8 times

Re: How much do you trust Debian?

#63 Post by Shamak »

LE_746F6D617A7A69 wrote: 2022-03-22 23:22 I'm watching the CVE's very carefully - the thing is, that CVE database is only providing a "hints" - to analyse the threat, You have to understand the code and try to execute the POC example.
The "use after free" CVE's vulnerabilities are extremely hard to use outside of laboratory -> in our world the safety of computers is foremost a business ;)

F.e. the "Dirty pipe" (CVE-2022-0847) has been rated as "critical", but it's a local privilege escalation case - it can't be used without preparing the system for the attack.
So I took a look at the Ubuntu page where they have cve-2022-26485, the zero day for Firefox and Thunderbird I mentioned.
https://ubuntu.com/security/CVE-2022-26485

It lists the release date of the fix for Firefox but says "needs triage" for Thunderbird. This seems to indicate that Ubuntu hasn't tried to determine if Thunderbird on Ubuntu is even vulnerable to cve-2022-26485. Am I right? Now they did update Thunderbird on March 23 in Focal, Ubuntu 20.04 which fixed the problem.
https://launchpad.net/ubuntu/+source/thunderbird

Upstream (hope I used that term right) released a fix on March 5.
https://www.thunderbird.net/en-US/thund ... easenotes/

It just concerns me about Ubuntu that they may not even have examined whether this zero day even affected Thunderbird in Ubuntu.

Again, just for contrast Debian seems to have done triage on Thunderbird.
https://security-tracker.debian.org/tra ... 2022-26485

You can see that some versions are listed as fixed whereas some are listed as vulnerable. If it was vulnerable on Debian it seems that it should be vulnerable on Ubuntu.

So am I on the right track here? :)

LE_746F6D617A7A69
Posts: 932
Joined: 2020-05-03 14:16
Has thanked: 7 times
Been thanked: 65 times

Re: How much do you trust Debian?

#64 Post by LE_746F6D617A7A69 »

Shamak wrote: 2022-03-26 17:03 So I took a look at the Ubuntu page where they have cve-2022-26485, the zero day for Firefox and Thunderbird I mentioned.
https://ubuntu.com/security/CVE-2022-26485
FYI: *zero day attack* means that someone have discovered a security hole in some system *and* that such security hole has been actually *used* -> there's no such option, that You can be warned about zero-day attack -> such *news* are complete bullshits -> zero-day attack means "unpredictable" attack, which is "unknown", until the results of that attack are discovered.
Bill Gates: "(...) In my case, I went to the garbage cans at the Computer Science Center and I fished out listings of their operating system."
The_full_story and Nothing_have_changed

Marie SWE
Posts: 241
Joined: 2021-04-06 22:14
Location: Sweden / Linköping
Has thanked: 7 times
Been thanked: 9 times

Re: How much do you trust Debian?

#65 Post by Marie SWE »

I just want to add, that it is often classified as zero day until there is a defense as a patch/workaround, or that antivirus signature is released.
Why make things complicated in life, if you can make it easier for yourself... Do it. ;o)
You only have one life, so make the most of it and enjoy it while you can.

Shamak
Posts: 147
Joined: 2018-04-14 00:33
Has thanked: 11 times
Been thanked: 8 times

Re: How much do you trust Debian?

#66 Post by Shamak »

LE_746F6D617A7A69 wrote: 2022-03-26 22:41
Shamak wrote: 2022-03-26 17:03 So I took a look at the Ubuntu page where they have cve-2022-26485, the zero day for Firefox and Thunderbird I mentioned.
https://ubuntu.com/security/CVE-2022-26485
FYI: *zero day attack* means that someone have discovered a security hole in some system *and* that such security hole has been actually *used*...
Yes, this is my understanding and how I have intended to use the term.
-> there's no such option, that You can be warned about zero-day attack -> such *news* are complete bullshits -> zero-day attack means "unpredictable" attack, which is "unknown", until the results of that attack are discovered.
I generally look at this Bleeping Computer page where they announce zero days. For example, Chrome has a zero day that was announced and fixed yesterday, the 25th, so I know to not use Chromium until the fix is released.
https://www.bleepingcomputer.com/tag/zero-day/

cynwulf

Re: How much do you trust Debian?

#67 Post by cynwulf »

Marie SWE wrote: 2022-03-19 22:38If you take a Windows 2000 computer with a configured software firewall, turn it on and no one uses it.. then the computer is secure.
This is too vague a statement. You would need a modern, secure firewall capable of running on Windows 2000 (problem!?) and configured to block all. You may as well have said a "Windows 2000 computer is secure if you don't connect it to the LAN/WAN".
Marie SWE wrote: 2022-03-19 22:38If you take the latest version of any linux distro .. turn it on and a user installs a virus/trojan/ransomware.. then the computer is compromised.
This is too obvious to really make any useful point or comparison.
Marie SWE wrote: 2022-03-19 22:38I only trust systems that I have a 100% understanding of how it works
[...]
So at present time, I can make a win7(EOL) computer more secured then my Debian and LMDE computers. Why? is it because win7 is more secure? absolutely not. :shock:
It is just because I know windows systems and have 30+years experience of microsoft OS and a sysadmin education(14years old)...
You're implying that an EoL Windows 7 installation is more secure than a modern Linux distribution, on account of you having "100% understanding of how it works". That is easily disproven. Unless you happen to have the source code to hand and can demonstrate a full and thorough understanding? I have used Windows, at home and professionally, since the days of Windows 3.1 and MSDOS before that, and I certainly wouldn't even claim a 50% understanding of how it works, let alone 100%.

Windows is a "black box", designed and engineered in fact to limit your understanding of it and to place you in the lap of a multi billion $ corporation and the parasitic companies and "professionals" it certifies to utilise the tangle of administrative tools it develops for the purpose along with the mess of 3rd party proprietary crap one often has no choice but to use to carry out simple tasks which just work out of the box on a 'BSD or Linux system.

Professionally, I have to use powershell, write powershell scripts, batch files, occasionally vbs scripts and I can assure you that I "understand" only as much as I need to, partially by choice, partially because it's a horribly complex rats nest and clusterf***.

User avatar
Trihexagonal
df -h | participant
df -h | participant
Posts: 149
Joined: 2022-03-29 20:53
Location: The Land of the Dead
Has thanked: 20 times
Been thanked: 16 times
Contact:

Re: How much do you trust Debian?

#68 Post by Trihexagonal »

I started using Debian in 2002. If I had reason not to trust it I would have found out by now.

User avatar
Onsemeliot
Posts: 333
Joined: 2010-12-15 14:43
Has thanked: 20 times
Been thanked: 5 times

Re: How much do you trust Debian?

#69 Post by Onsemeliot »

Trihexagonal wrote: 2022-03-30 20:28 I started using Debian in 2002. If I had reason not to trust it I would have found out by now.
You just don't know where all your private data is shared. :mrgreen:

But seriously, I expect we are not aware of most mishaps. It is similar to the fact that no sufficiently complex code can be guaranteed to be fully free of errors. But having many eyes on it and doing extensive testing certainly helps to limit unexpected results. So, I don't think there are many alternatives that are as (or even more) reliable than Debian stable.
Last edited by Onsemeliot on 2022-04-03 09:30, edited 1 time in total.

User avatar
Uptorn
Posts: 209
Joined: 2022-01-22 01:07
Has thanked: 177 times
Been thanked: 45 times

Re: How much do you trust Debian?

#70 Post by Uptorn »

I want to be able to trust the individuals working on Debian. But at the same time, I do not want to have to trust anything about Debian if I can avoid it. It is a distributed effort with many points of potential compromise.

So it is not unreasonable to minimize the amount of software that you pull from the Debian repos. Don't just accept the meta pre-packaged Install options. Start with a blank slate and add only the things you will use. The Debian repository also has a Tor mirror. This can prevent anyone Debian-side from knowing that your package download request is going specifically to your device. And even with as much man power as Debian has, it is not inconceivable that malicious functionality can be slipped into some upstream project (like the kernel itself!) which could go unnoticed for some time.

User avatar
Trihexagonal
df -h | participant
df -h | participant
Posts: 149
Joined: 2022-03-29 20:53
Location: The Land of the Dead
Has thanked: 20 times
Been thanked: 16 times
Contact:

Re: How much do you trust Debian?

#71 Post by Trihexagonal »

Onsemeliot wrote: 2022-04-01 19:32You just don't know where all your private data is shared.
You underestimate my ability to find out such things.

How far I will go to correct a situation detrimental to the user once i do find out, if all else fails, a matter of Public Record.
When Darkness takes everything embrace what Darkness brings.

User avatar
Onsemeliot
Posts: 333
Joined: 2010-12-15 14:43
Has thanked: 20 times
Been thanked: 5 times

Re: How much do you trust Debian?

#72 Post by Onsemeliot »

Trihexagonal wrote: 2022-04-02 01:37 You underestimate my ability to find out such things.
Maybe. But what for example can you do about pages that aren't linked anywhere publicly but that are known by people who are working with it?

trinidad
Posts: 290
Joined: 2016-08-04 14:58
Been thanked: 14 times

Re: How much do you trust Debian?

#73 Post by trinidad »

For a home user in the US stable software is exponentially more important than all the Web security myths. It is still a fact that volatile software like Windows/Intel cartel offerings coupled to inexperienced users creates security gaffs all by itself. Whatever you run as a home user is at risk when using the Web period, and more dependent for secuirty on your ISP than you might imagine. There are common sense things you can do.

#1 Run Debian stable.
#2 Don't save financial info on your drive or to the cloud.
#3 Learn how to use nmap and iftop to monitor your Web connections.
#4 Realize that Google and Amazon are privacy invaders and a lot of phone home security risks are based on their telemetry collectors because they are common and easy to repurpose.
# 5 Surfing the Web is like sailing the Sargasso Sea: when there actually is a wind you start to move OK, but after a while the seaweeds slow you down and can even flounder you if you don't pay attentrion.

TC
You can't believe your eyes if your imagination is out of focus.

User avatar
Uptorn
Posts: 209
Joined: 2022-01-22 01:07
Has thanked: 177 times
Been thanked: 45 times

Re: How much do you trust Debian?

#74 Post by Uptorn »

trinidad wrote: 2022-04-03 14:23 #3 Learn how to use nmap and iftop to monitor your Web connections.
I have used tcpdump for this. If I wanted to try nmap, what is a good way to do monitoring in realtime with it?
# 5 Surfing the Web is like sailing the Sargasso Sea: when there actually is a wind you start to move OK, but after a while the seaweeds slow you down and can even flounder you if you don't pay attentrion.
I'm a bit too smooth brained to follow the analogy. Elaborate?

CwF
Global Moderator
Global Moderator
Posts: 2638
Joined: 2018-06-20 15:16
Location: Colorado
Has thanked: 41 times
Been thanked: 192 times

Re: How much do you trust Debian?

#75 Post by CwF »

Trihexagonal wrote: 2022-04-02 01:37
Onsemeliot wrote: 2022-04-01 19:32You just don't know where all your private data is shared.
You underestimate my ability to find out such things.

How far I will go to correct a situation detrimental to the user once i do find out, if all else fails, a matter of Public Record.
Seeds, spread in some seeds, then you know. Only 'you' had that seed.

No good way to judge trust. Validate mistrust, deduct, the Trust is what remains.

User avatar
Trihexagonal
df -h | participant
df -h | participant
Posts: 149
Joined: 2022-03-29 20:53
Location: The Land of the Dead
Has thanked: 20 times
Been thanked: 16 times
Contact:

Re: How much do you trust Debian?

#76 Post by Trihexagonal »

CwF wrote: 2022-04-03 15:28
Trihexagonal wrote: 2022-04-02 01:37
Onsemeliot wrote: 2022-04-01 19:32You just don't know where all your private data is shared.
You underestimate my ability to find out such things.

How far I will go to correct a situation detrimental to the user once i do find out, if all else fails, a matter of Public Record.
Seeds, spread in some seeds, then you know. Only 'you' had that seed.

No good way to judge trust. Validate mistrust, deduct, the Trust is what remains.
Trust is earned over time by exhibiting behavior worthy of trust.

I can give you an example that violates that trust but have already posted it on more than one occasion.
It would serve no constructive purpose and just add mud to the dung flung here.
When Darkness takes everything embrace what Darkness brings.

User avatar
Trihexagonal
df -h | participant
df -h | participant
Posts: 149
Joined: 2022-03-29 20:53
Location: The Land of the Dead
Has thanked: 20 times
Been thanked: 16 times
Contact:

Re: How much do you trust Debian?

#77 Post by Trihexagonal »

Trihexagonal wrote: 2022-04-02 01:37
Onsemeliot wrote: 2022-04-01 19:32You just don't know where all your private data is shared.
You underestimate my ability to find out such things.

How far I will go to correct a situation detrimental to the user once i do find out, if all else fails, a matter of Public Record.
Please allow me to back that up with more than talk:

https://www.lumendatabase.org/notices/27708765

Actions speak louder than words.


There's nothing else I have to say about it that would be on topic. Only that I hope I've made a valuable contribution to the topic as a forum member as only I can.


To the sky... To the sky...
When Darkness takes everything embrace what Darkness brings.

user6c57b8
Posts: 19
Joined: 2022-05-31 16:19
Has thanked: 5 times

Re: How much do you trust Debian?

#78 Post by user6c57b8 »

How much do you trust Debian?
I 3% trust Debian, which is more than I trust my older sister.

User avatar
Trihexagonal
df -h | participant
df -h | participant
Posts: 149
Joined: 2022-03-29 20:53
Location: The Land of the Dead
Has thanked: 20 times
Been thanked: 16 times
Contact:

Re: How much do you trust Debian?

#79 Post by Trihexagonal »

As an update, and to my point that trust is earned over time by exhibiting behavior worthy of trust, Friday Google informed me they will remove from their search engine results the links to the tutorials I wrote the FreeBSD forums decided to steal"
Hello,

Thanks for reaching out to us.

In accordance with the Digital Millennium Copyright Act, the following URLs
will be removed from Google’s search results shortly:

https://forums.freebsd.org/threads/beginners-guide-how-
to-set-up-a-freebsd-desktop-from-scratch.61659/
<https://www.google.com/url?q=https%3A%2 ... z7Uq0A26m5>
https://forums.freebsd.org/threads/how-to-spoof-your-
ether-mac-on-freebsd.79268/
<https://www.google.com/url?q=https%3A%2 ... 1kFJwyvz1f>

Regards,

The Google Team

For more information about our content removal process access g.co/legal
<https://support.google.com/legal/answer/3110420>.

Would you trust Debian if they knowingly engaged in unlawful activity?
When Darkness takes everything embrace what Darkness brings.

Post Reply