Re: [FRIAM] Source Forge, inter alia
On Thu, Jul 3, 2014 at 10:33 AM, Marcus G. Daniels mar...@snoutfarm.com wrote: On Thu, 2014-07-03 at 09:51 -0600, Barry MacKichan wrote: The HeartBleed bug is an example of a serious, unintentional, problem in an open source package. In that case, even though the software was available to millions of eyeballs, not that many actually looked at it. I suspect only the mainstream big programs (such as Apache) are closely examined. Since I usually find the programs I want through word of mouth from people I trust, I don't worry much about it and have not yet regretted it. Also, I use a Mac. My understanding was that OpenSSL is a large utility with quite a lot of code and complexity, more than needed for the root functionality. It does not help to have a lot of eyeballs if almost all get bored and confused and soon give up! Apparently there is an alternative effort underway called LibreSSL, we shall see how it is received. But it is an interesting provocation to consider the multifaceted ways something can be (or fail to be) 'open', or to an even more convoluted degree, 'free'. -Arlo James Barnes FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
[FRIAM] Source Forge, inter alia
Sorry, everybody. I guess my question could be stated more broadly, with perhaps some saving of your time in the long run. How do I decide if a piece of software, available on the internet is safe or not? I guess one can look for reviews on reputable sites, but then how does one recognize a reviewing site as reputable. ? I suppose one could look at the webpage of the software maker and see if the software is being regularly updated, etc. What about the site on which the software is hosted? Does that give a clue Does Source Forge screen it's software? If so, I couldn't see any sign of that on the Source forge page. Perhaps if one of you would provide an answer to me on this general question, it would you all being bothered by particular versions of it later on. Thanks, Nick Nicholas S. Thompson Emeritus Professor of Psychology and Biology Clark University http://home.earthlink.net/~nickthompson/naturaldesigns/ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Re: [FRIAM] Source Forge, inter alia
Open source software is less to have spyware or viruses. That's because the software is in its preferred high-level form - the recipe is published. Proprietary software, in contrast, is delivered as a binary. To know whether bad stuff is in a binary program, a difficult decompilation and reverse engineering process is needed to get back to something like the preferred form. Like having to run spectroscopy to find out what is in a cake. In the open source case, you just bake your own cake. If you know the ingredients are plausible, and the structure of the recipe makes sense, then you can feel good about having a piece of cake. And even if you are not a baker, you may know some bakers that can give an opinion on the recipe . That doesn't mean there aren't bugs or bad oversights, but malicious behavior is harder to hide. From: Friam [mailto:friam-boun...@redfish.com] On Behalf Of Nick Thompson Sent: Wednesday, July 02, 2014 9:43 PM To: Friam Subject: [FRIAM] Source Forge, inter alia Sorry, everybody. I guess my question could be stated more broadly, with perhaps some saving of your time in the long run. How do I decide if a piece of software, available on the internet is safe or not? I guess one can look for reviews on reputable sites, but then how does one recognize a reviewing site as reputable. ? I suppose one could look at the webpage of the software maker and see if the software is being regularly updated, etc. What about the site on which the software is hosted? Does that give a clue Does Source Forge screen it's software? If so, I couldn't see any sign of that on the Source forge page. Perhaps if one of you would provide an answer to me on this general question, it would you all being bothered by particular versions of it later on. Thanks, Nick Nicholas S. Thompson Emeritus Professor of Psychology and Biology Clark University http://home.earthlink.net/~nickthompson/naturaldesigns/ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Re: [FRIAM] Source Forge, inter alia
The best thing to do is run the software in a virtual machine, e.g. https://www.virtualbox.org/. Perhaps even run your web requests through a proxy server. http://www.publicproxyservers.com/ Depending on what you mean by safe, this will help you isolate the thing until _you_ decide it's safe. And, of course, run it through some sort of checker, e.g. https://www.virustotal.com/en/url/4ce00249c99238a33ca8f7a4a75d763e0035b23ab0ef043129bb6e0e5d0afec8/analysis/ preferably more than one: http://app.webinspector.com/public/reports/22906975 To take it a few steps further, you can check for spammers: http://mxtoolbox.com/SuperTool.aspx?action=blacklist%3akeepvid.comrun=toolpage See what OS they are (claim to be) running: http://searchdns.netcraft.com/?host=keepvid.comx=8y=1 See how their website has evolved over time: https://web.archive.org/web/*/http://keepvid.com See bitcoin transactions: https://blockchain.info/address/1NYQHzvg7DT4PDoTm7h6jy46gPKS3gNoZu And then there's always page 10 of the Google search reslts, which gives us these sites: http://blog.teesupport.com/easy-and-effective-guide-for-getting-rid-of-keepvid-com-quickly-manual-removal-guide/ http://www.cleanpcguide.com/remove-keepvid-com-removal-guide-how-to-remove-keepvid-com/ On 07/03/2014 05:59 AM, Marcus G. Daniels wrote: Open source software is less to have spyware or viruses. That’s because the software is in its preferred high-level form – the recipe is published. Proprietary software, in contrast, is delivered as a binary. To know whether bad stuff is in a binary program, a difficult decompilation and reverse engineering process is needed to get back to something like the preferred form. Like having to run spectroscopy to find out what is in a cake. In the open source case, you just bake your own cake. If you know the ingredients are plausible, and the structure of the recipe makes sense, then you can feel good about having a piece of cake. And even if you are not a baker, you may know some bakers that can give an opinion on the recipe . That doesn’t mean there aren’t bugs or bad oversights, but malicious behavior is harder to hide. *From:* Friam [mailto:friam-boun...@redfish.com] *On Behalf Of *Nick Thompson *Sent:* Wednesday, July 02, 2014 9:43 PM *To:* Friam *Subject:* [FRIAM] Source Forge, inter alia Sorry, everybody. I guess my question could be stated more broadly, with perhaps some saving of your time in the long run. How do I decide if a piece of software, available on the internet is safe or not? I guess one can look for reviews on “reputable” sites, but then how does one recognize a reviewing site as reputable. ? I suppose one could look at the webpage of the software maker and see if the software is being regularly updated, etc. What about the site on which the software is hosted? Does that give a clue Does Source Forge screen it’s software? If so, I couldn’t see any sign of that on the Source forge page. Perhaps if one of you would provide an answer to me on this general question, it would you all being bothered by particular versions of it later on. Thanks, Nick Nicholas S. Thompson Emeritus Professor of Psychology and Biology Clark University http://home.earthlink.net/~nickthompson/naturaldesigns/ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com -- glen e. p. ropella, 971-255-2847, http://tempusdictum.com FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Re: [FRIAM] Source Forge, inter alia
Hmm well the short (as compared to tall) answer is that some places screen software for extra crap. If you use chrome or firefox get a addon called web of trust as a start. Cnet and Zdnet are midling, but a start for where to get safe software. Anecdotally I don't like how either of those will try to add extra needed crap- but it's (generally) safe to not agree to installing it. detailed answers: Depending on what you do, and if it's in your price range Macbook. MacOS apps are way less prone to junk (anecdotally). Otherwise since your likely using windows box get a antivirus program, they help MS Security Essentials or Avast Anti Virus (free version) are a start.Norton, Zonealarm eta are also a option. For back ups I used Norton Ghost, seemed to work. Shadow Protect gets good reviews, I don't know if they still have a demo to it. That said anecdotally the Cnet shareware i've gotten doesn't tend to have virii- but does have add-attachments wich is obnoxous. A smart-arse saideth to me: Windows 8? The only virus people willingly install On Thu, Jul 3, 2014 at 6:59 AM, Marcus G. Daniels mar...@snoutfarm.com wrote: Open source software is less to have spyware or viruses. That’s because the software is in its preferred high-level form – the recipe is published. Proprietary software, in contrast, is delivered as a binary. To know whether bad stuff is in a binary program, a difficult decompilation and reverse engineering process is needed to get back to something like the preferred form. Like having to run spectroscopy to find out what is in a cake. In the open source case, you just bake your own cake. If you know the ingredients are plausible, and the structure of the recipe makes sense, then you can feel good about having a piece of cake. And even if you are not a baker, you may know some bakers that can give an opinion on the recipe . That doesn’t mean there aren’t bugs or bad oversights, but malicious behavior is harder to hide. *From:* Friam [mailto:friam-boun...@redfish.com] *On Behalf Of *Nick Thompson *Sent:* Wednesday, July 02, 2014 9:43 PM *To:* Friam *Subject:* [FRIAM] Source Forge, inter alia Sorry, everybody. I guess my question could be stated more broadly, with perhaps some saving of your time in the long run. How do I decide if a piece of software, available on the internet is safe or not? I guess one can look for reviews on “reputable” sites, but then how does one recognize a reviewing site as reputable. ? I suppose one could look at the webpage of the software maker and see if the software is being regularly updated, etc. What about the site on which the software is hosted? Does that give a clue Does Source Forge screen it’s software? If so, I couldn’t see any sign of that on the Source forge page. Perhaps if one of you would provide an answer to me on this general question, it would you all being bothered by particular versions of it later on. Thanks, Nick Nicholas S. Thompson Emeritus Professor of Psychology and Biology Clark University http://home.earthlink.net/~nickthompson/naturaldesigns/ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Re: [FRIAM] Source Forge, inter alia
The HeartBleed bug is an example of a serious, unintentional, problem in an open source package. In that case, even though the software was available to millions of eyeballs, not that many actually looked at it. I suspect only the mainstream big programs (such as Apache) are closely examined. Since I usually find the programs I want through word of mouth from people I trust, I don't worry much about it and have not yet regretted it. Also, I use a Mac. —Barry On 3 Jul 2014, at 6:59, Marcus G. Daniels wrote: Open source software is less to have spyware or viruses. That's because the software is in its preferred high-level form - the recipe is published. Proprietary software, in contrast, is delivered as a binary. To know whether bad stuff is in a binary program, a difficult decompilation and reverse engineering process is needed to get back to something like the preferred form. Like having to run spectroscopy to find out what is in a cake. In the open source case, you just bake your own cake. If you know the ingredients are plausible, and the structure of the recipe makes sense, then you can feel good about having a piece of cake. And even if you are not a baker, you may know some bakers that can give an opinion on the recipe . That doesn't mean there aren't bugs or bad oversights, but malicious behavior is harder to hide. From: Friam [mailto:friam-boun...@redfish.com] On Behalf Of Nick Thompson Sent: Wednesday, July 02, 2014 9:43 PM To: Friam Subject: [FRIAM] Source Forge, inter alia Sorry, everybody. I guess my question could be stated more broadly, with perhaps some saving of your time in the long run. How do I decide if a piece of software, available on the internet is safe or not? I guess one can look for reviews on reputable sites, but then how does one recognize a reviewing site as reputable. ? I suppose one could look at the webpage of the software maker and see if the software is being regularly updated, etc. What about the site on which the software is hosted? Does that give a clue Does Source Forge screen it's software? If so, I couldn't see any sign of that on the Source forge page. Perhaps if one of you would provide an answer to me on this general question, it would you all being bothered by particular versions of it later on. Thanks, Nick Nicholas S. Thompson Emeritus Professor of Psychology and Biology Clark University http://home.earthlink.net/~nickthompson/naturaldesigns/ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Re: [FRIAM] Source Forge, inter alia
Are Macs still more secure than Windows? I presume not, but here are some opinions: Yes: http://www.zdnet.com/sorry-to-say-that-apple-platforms-are-still-more-secure-726880/ Not really: http://blogs.avg.com/business/yes-mac-safer-pcfor/ On Thu, Jul 3, 2014 at 9:51 AM, Barry MacKichan barry.mackic...@mackichan.com wrote: The HeartBleed bug is an example of a serious, unintentional, problem in an open source package. In that case, even though the software was available to millions of eyeballs, not that many actually looked at it. I suspect only the mainstream big programs (such as Apache) are closely examined. Since I usually find the programs I want through word of mouth from people I trust, I don't worry much about it and have not yet regretted it. Also, I use a Mac. —Barry On 3 Jul 2014, at 6:59, Marcus G. Daniels wrote: Open source software is less to have spyware or viruses. That's because the software is in its preferred high-level form - the recipe is published. Proprietary software, in contrast, is delivered as a binary. To know whether bad stuff is in a binary program, a difficult decompilation and reverse engineering process is needed to get back to something like the preferred form. Like having to run spectroscopy to find out what is in a cake. In the open source case, you just bake your own cake. If you know the ingredients are plausible, and the structure of the recipe makes sense, then you can feel good about having a piece of cake. And even if you are not a baker, you may know some bakers that can give an opinion on the recipe . That doesn't mean there aren't bugs or bad oversights, but malicious behavior is harder to hide. From: Friam [mailto:friam-boun...@redfish.com] On Behalf Of Nick Thompson Sent: Wednesday, July 02, 2014 9:43 PM To: Friam Subject: [FRIAM] Source Forge, inter alia Sorry, everybody. I guess my question could be stated more broadly, with perhaps some saving of your time in the long run. How do I decide if a piece of software, available on the internet is safe or not? I guess one can look for reviews on reputable sites, but then how does one recognize a reviewing site as reputable. ? I suppose one could look at the webpage of the software maker and see if the software is being regularly updated, etc. What about the site on which the software is hosted? Does that give a clue Does Source Forge screen it's software? If so, I couldn't see any sign of that on the Source forge page. Perhaps if one of you would provide an answer to me on this general question, it would you all being bothered by particular versions of it later on. Thanks, Nick Nicholas S. Thompson Emeritus Professor of Psychology and Biology Clark University http://home.earthlink.net/~nickthompson/naturaldesigns/ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Re: [FRIAM] Source Forge, inter alia
On Thu, 2014-07-03 at 09:51 -0600, Barry MacKichan wrote: The HeartBleed bug is an example of a serious, unintentional, problem in an open source package. In that case, even though the software was available to millions of eyeballs, not that many actually looked at it. I suspect only the mainstream big programs (such as Apache) are closely examined. Since I usually find the programs I want through word of mouth from people I trust, I don't worry much about it and have not yet regretted it. Also, I use a Mac. The path of least resistance for organizations without a lot of time and money (and integrity) is just to keep secrets until they are forced to do something. People are prone to trusting authorities on things, and remarkably will even pay for the privilege and insist on governance to be sure of it! I would rather be able to estimate risk and intervene when the risks are high. Or at least have a feasible way to gain meta knowledge about what I don't know. As Roger once remarked (paraphrasing), I'm getting more ignorant every day. I just want to be able to get a sense of the rate of that process... Many people seem to believe they can stop that process, or stop the consequences of that process, by delegating and deferring to others. But they are wrong. Marcus FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
