Back in the last century, iirc, or the very early 2000’s, I logged-out of my desktop ( linux ) one time & discovered there was a new user on my machine…
the new username was “you are dead”.
1st time I knew I’d been cracked.
Not a nice feeling.
Educational, however, & motivating…
did me good.
I’m glad the person was more interested in communicating my trusting foolishness to me, than in doing real harm…
_ /\ _
From what I’ve read, thus-far, prohibiting autotools would be a good 1st-step.
Then auditing all the damn ocean-of-vulnerability-in-a-single-crufty-swamp dependencies, & getting committed about clarity & accountability in packages, would probably be required.
I read an article, a couple years ago, about web-frameworks…
The guy doing the writing said he found they were often malware, or corrupt, or trojans, or utter-bullshit…
Haskell’s got a kind of mantram: don’t bring in a whole framework, just compose what you need, yourself, together.
Its a granularity-difference.
Requiring a framework, which itself requires other frameworks, as that guy was pointing-out ( he wasn’t interested in Haskell ), is a liability nightmare.
But the culture of just having an infinite bring-in of frameworks & libraries, so one can write a little, easy code, is a culture that is biting the world’s security in the ass.
It cannot be, that people just include everything from everywhere, & somehow have secure/trustworthy systems.
To have a secure, trustworthy system, one needs to know that one has disincluded corruption/malicious-code.
That requires limiting what’s included, that includes auditing, that includes accountability, that includes having understandable, sufficiently-clear stuff that one is including.
Consistently, at all levels, relentlessly.
It’s a chain: you cannot have a weak-link without compromising the whole chain.
You cannot compromise ANY subsystem in a distro, & have a trustworthy distro.
There are 2 contradictory paradigms: the “magic bullet paradigm”, which doesn’t care how much rot, compromise, anything, so long as they include the “magic bullet” which takes-out the competitor…
… vs the “no weak-points, whatsoever, paradigm”, which doesn’t rely on magic, it relies on defense-in-depth, and carefulness, and everybody working coherently, etc, in order to disallow corruption/malicious-actors any leverage/grasp on us.
They are cultures, not just ideas.
Some people cannot tolerate a “no weak-points” culture, they “NEED” to compromise things ( I don’t care about the bugs, get more features in!!" ), and they must be put out into the other organizations/operations, because they CANNOT tolerate careful-paradigm.
It truly is a culture, or “religion”, and there’s no faking it.
Look to OpenBSD, & see what it takes to be like them…
Many years ago, it was discovered that Wine could run Windows viruses/worms/malware just fine, thank you very much…
“Sandboxing”, it isn’t.
It runs with all the privileges of the user running the app, iirc.
just to set the record straight…
I use the word, specifically to point-out that it’s UNrelated to the n-word.
WHEN we kowtow to disinformation,
THEN we are accommodating disinformation’s rule.
Fight it tooth & nail, ever mm of the way.
Ideological disinformation, national-narcissism disinformation, historical disinformation, linguistic disinformation, Scientism’s disinformation & other pseudoscientific disinformation, ALL of it.
I used to think like that, sorta.
Read Kegan & Lahey’s “Immunity to Change” book, on people’s unconscious-mind’s mechanism for fighting-off growing-up.
Then let it percolate in your mind for a few decades, while you watch humankind’s process.
I’d now make a law requiring that the top people be Kegan5 unconscious-mind-development ( he calls 3, 4, & 5 something like “socially-based sentience”, rooted in needing to feel liked, “self-authoring” mind, which I call Bulling-BOSS mode, it’s an obnoxious mode male-culture values because it’s so “alpha”.
Youtube’s Wranglerstar & Veritasium are both poster-people for it, 1 in working-class Kegan4 the other in middle/upper-middle-class Kegan4, & both displaying Kegan4’s obnoxiousness.
I spent most of my adult life in it, and wish I could just retroactively slice most of my life from Universe.
“systems-of-systems” mode is Kegan5. )
it’s consistent that if you field a Kegan3 person to be your negotiation-representative, and the other side fields a Kegan4, you’re run-over.
If you field a Kegan5 & they field a Kegan4, you’re run-over.
IF they field a Kegan4, THEN you need equal/opposite bullying, in order that the zero-sum-game not beat your side to shit.
However, IF they have the uprightness to field a Kegan5 & you can too, THEN Win-Win becomes possible.
Young-adults, Kegan3’s ( the Kegan3 stage can continue for the entire rest of a person’s life, from post-adolescence to 100yo or more, but it is mentally/psychically a young-adult stage ), cannot accept that evil is real, the way someone mentally-older can.
Kegan3’s are in the absorbing experience into their unconscious-mind, stage.
Kegan4’s are in the pushing meaning out of their unconscious, “authoring” themselves through that unconscious-pushing-out process stage.
Kegan5’s are in the this is true for them, that is true for these other people, the-other is true for me, and this is how it all fits together stage.
I’d not permit any naive Kegan3’s to rule any major operation, nor permit any zero-sum-game-“validity” Kegan4’s to rule anything important.
That book gives people the means of converting fighting-off-growing-up to actually-successfully-growing-up, and so it is worth many life-years or life-decades, to many.
Nobody in the whole world has any reason to accept that my values have any validity in them, though, that is true.
All who hold that there is no understanding which should be prerequisite to authority, well they all outnumber me, don’t they?
shrug
This I’ve found tests to be true, however.
( bonus point:
it has been published that the DreamTeam formation is a team-of-7, with 2 who match the Kegan5 mental-development, 2 who match the Kegan4 mental-development, & 3 who match the Kegan3 mental-development.
The Kegan4’s bursting with ideas, but not understanding all the systems-of-systems gotchas, means the team is more likely to be able to innovate,
the Kegan5’s, if they can do it without demolishing the Kegan4’s morale, can ask questions to corner the Kegan4’s into considering all sorts of things they hadn’t, so they prevent lots of stupid mistakes,
& the Kegan3’s are the “glue” which holds the team coherent & harmonious.
I’m mixing multiple sources together, but they really were identifying the same thing, only each was doing-so without some of the other pieces.
New Scientist had an article on The Dream Team, years ago, Chris McGoff’s book “The Primes” is part of it, the Kegan & Lahey book is part of it, some HBR stuff as well, perhaps some stuff from the managers-of-programmers books, what’s her name, Roth? can’t remember…
fit it together, though, and it fits properly: there is a balance which produces working momentum, instead of institutional-mentality, and that working momentum is based on the substance of the minds of the people in the team, and ignoring the unconscious-mind-development stage … is ignoring the BIG part of each person’s iceberg.
: )
And pushing that ideology/religion as established/tested/validated science should be a criminal-offense.
Falsely representing oneself as something is criminal-fraud, in some jurisdictions…
Being the US, of course, there’s little hope for integrity to win any case…
Which makes the break-even point for such wingsails, which cost one hell of alot more than a few tonnes of fuel did … rather far-away/long-term, doesn’t it?
There was also a system using huge parachute-kite things, on carbon-nanotube-ropes, fired up into the sky with rocket-assist, and the things could apparently pull the ship, quite effectively…
… the service-subscription the ship was supposed to pay-for gave them the optimal route for fuel-savings vs time-to-get-there…
here, it was sorta like this, but the kite-sail looked different, and I’m pretty-sure they were saying something about nanotube cable for the kite, and it wasn’t just a concept, it was actually-working…
https://marinersgalaxy.com/giant-kite-pulls-ship-across-atlantic/
I seem to remember that at the beginning of covid, some shipping companies just shortened the bulbs on their hulls, to optimize for a slower cruising-speed, and saved money that way…
again, where’s the break-even on it
If you have the ability to take a look at either SANS website, and see their articles, or have your system show you all the automatic attacks hitting your machine, then maybe you will understand…
Botnets are coded to hammer-away at all possible internet-addresses, trying to break-in & highjack more machines, to include in the established criminal-machine that the botnet is…
SANS said, a decade or 2 ago, that it took, on average, something like 6 or 4 minutes for a new MS-Windows machine to be owned by some attack from the internet.
I’ve had linux machines cracked/owned, and wiped 'em to get 'em clean.
Having no immune-system is BAD.
Linux botnets, apple operating-system botnets, they exist.
I don’t think there is any operating-system that is connected to the internet that doesn’t have attacks coded to crack it.
I just looked at SANS.org, and they have totally changed, so they are now … more a moneymaking-machine wanting B2B biz?
Here, though, are some cheat-sheets they made:
https://www.sans.org/posters/?msc=main-nav
They used to tell us the top-20 most effective protections for particular threats, identifying how prevalent the threats were, etc…
No idea who does that nowadays…
While this is good for privacy, …
… it is disasterous for lenders trying to comprehend the risk in lending to a particular individual.
Economic-integrity requires that credit-ratings be accurate, for organizations/companies AND for individuals.
_ /\ _