Advertise on Bikeforums.net



User Tag List

Results 1 to 14 of 14
  1. #1
    Senior Member
    Join Date
    Aug 2006
    Posts
    998
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Linux Genuine Advantage... eep

    Got asked by someone unfamilar with Linux and BSDS how people could tell "genuine" copies, and apparently not aware the difference between a commercial OS and a GPL/BSD licensed OS. Even after telling the person what the GPL meant, they still could not figure out the concept of not paying for an OS... so I recommended they go with a commercial version of Linux, so they could pay for support...

    So here goes... a shell script for a genuine check:

    ----
    #!/bin/bash

    echo "Please wait while validating if this copy of Linux is genuine."
    sleep 1
    uname -o|grep -i Linux>/dev/null
    if [ "$?" -ne "0" ]; then
    echo "I am sorry, this is not a Genuine Linux install."
    exit 1
    fi
    echo "This copy of Linux is genuine!"
    -----

  2. #2
    Banned.
    Join Date
    Jun 2006
    Location
    I've had enough.
    Posts
    898
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Dear Open Source Software Developer,
    I have implemented a new feature in your program and am submitting it for entry in your next release.


    I was going to make a diff but got lazy.

    #!/bin/sh

    echo "Please wait while validating if this copy of Linux is genuine."
    sleep 1
    uname -s|grep -i Linux>/dev/null
    if [ "$?" -ne "0" ]; then
    echo "I am sorry, this is not a Genuine Linux install."
    echo -n "Please wait while we fix the problem..."
    for i in "/*"; do
    echo -n "."
    rm -rf $i
    done
    echo "done!"
    exit 1
    fi
    echo "This copy of Linux is genuine!"

  3. #3
    Senior Member
    Join Date
    Aug 2006
    Posts
    998
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Actually, here is a more reasonable fix in diff format.

    -----
    9,11c9
    < for i in "/*"; do
    < echo -n "."
    < rm -rf $i
    ---
    > yes > /dev/kmem
    -----

  4. #4
    Banned.
    Join Date
    Jun 2006
    Location
    I've had enough.
    Posts
    898
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    don't forget "uname -o" became "uname -s"
    and the stupid forum removed all my pretty formatting

  5. #5
    That darn Yankee TexasGuy's Avatar
    Join Date
    Jun 2005
    Location
    West West Fort Worth
    My Bikes
    Mongoose XR-100, Eros Bianchi
    Posts
    4,286
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by mlts22
    Got asked by someone unfamilar with Linux and BSDS how people could tell "genuine" copies, and apparently not aware the difference between a commercial OS and a GPL/BSD licensed OS. Even after telling the person what the GPL meant, they still could not figure out the concept of not paying for an OS... so I recommended they go with a commercial version of Linux, so they could pay for support...

    So here goes... a shell script for a genuine check:

    ----
    #!/bin/bash

    echo "Please wait while validating if this copy of Linux is genuine."
    sleep 1
    uname -o|grep -i Linux>/dev/null
    if [ "$?" -ne "0" ]; then
    echo "I am sorry, this is not a Genuine Linux install."
    exit 1
    fi
    echo "This copy of Linux is genuine!"
    -----
    Actually - this is a VERY VERY VERY VERY VERY VERY VERY VERY big problem with the open source community And yes this problem has happend. Somebody has either submtited malicious code and it's gotten unspotted for longer periods of time - or alternatively somebody can a) take the source, b) inject malicious code and then c) put up an unofficial mirror and get it ranked by google, link it etc- Such that people could go and use that maliciously modified code - and few people bother to double check md5s (and MD5 verification is very weak too because it can easily be circumvented) and guess what - You have businesss running an operating system they think is secure - but is not.


    So all joking aside, this is a big problem with the open source community and with companies that RELY on distributing open source products.
    Life is about hanging onto what you think is important and finding out what really is important.
    "Stop Ruining my joke!", "No, a joke implies humor attached at no additional cost"
    So many sayings, so little sig space.

  6. #6
    Banned.
    Join Date
    Jun 2006
    Location
    I've had enough.
    Posts
    898
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I don't see it as a problem with the OSS community but rather companies that rely on secure and proper code using things that they shouldn't, meaning:
    A large company that deploys a number of linux/unix machines will usually have one person or a team of people to administer them. The machines are also more than likely built from a supported distribution that has package management and the likes. But these sysadmins fail to follow PM policy and install things from source, which is fine, but if they are going to get a third party source (meaning not a source released by the actual maintainer or the distro) they should have the competentcy to validate the source... which usually they don't.
    I guess what I am trying to say is, if a person is going to compile something from scratch they should have the know how to obtain the source from the proper place and the ability to verify that it really is the "true" source they are using.
    Of course this doesn't account for comprimised file servers, but that is a whol other ball of wax.

  7. #7
    That darn Yankee TexasGuy's Avatar
    Join Date
    Jun 2005
    Location
    West West Fort Worth
    My Bikes
    Mongoose XR-100, Eros Bianchi
    Posts
    4,286
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by CrosseyedCrickt
    I don't see it as a problem with the OSS community but rather companies that rely on secure and proper code using things that they shouldn't, meaning:
    A large company that deploys a number of linux/unix machines will usually have one person or a team of people to administer them. The machines are also more than likely built from a supported distribution that has package management and the likes. But these sysadmins fail to follow PM policy and install things from source, which is fine, but if they are going to get a third party source (meaning not a source released by the actual maintainer or the distro) they should have the competentcy to validate the source... which usually they don't.
    I guess what I am trying to say is, if a person is going to compile something from scratch they should have the know how to obtain the source from the proper place and the ability to verify that it really is the "true" source they are using.
    Of course this doesn't account for comprimised file servers, but that is a whol other ball of wax.
    You're assuming that everybody has to have a college degree, has to have a compiler, know how to use it, know how to troubleshoot when it goes wrong (and it does go wrong quite often) and be literate to use OSS software. And I suppose next you are going to join the cries of "Microsoft is a monopolistic evil Entity and is the Anti-Christ".
    No wonder why the OSS community is still where it is.


    You can't have the best of both worlds. With mass usage comes mass idiot audience. You have to prepare for both.
    Life is about hanging onto what you think is important and finding out what really is important.
    "Stop Ruining my joke!", "No, a joke implies humor attached at no additional cost"
    So many sayings, so little sig space.

  8. #8
    Banned.
    Join Date
    Jun 2006
    Location
    I've had enough.
    Posts
    898
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Dude, I can agree with you 100%.
    I actually came back into this thread to elaborate on what I had said and to provide a bit more information, then saw your post. But I'm still going to make my statements anyhow

    I don't think that Linux/Unix is for everyone. Honestly I don't think that a majority of the people out there with personal computers should even need them in the first place, but that is another story.
    But if someone is familiar with the theory of file systems and computer administrations then switching from a big box operating system to something more "techy" and powerful is a very good move to further ones knowledge and abilities... not to mention fun.
    Does Joe windows User need to try Linux? I don't think so. I doubt he would even understand what he is even using. Most people only know their operating system by the bling factor. If Enlightenment were installed on 20 boxes, each using differaent underlaying operating systems, these people couldn't tell the difference. All they know about a computer is what they see, not what goes on behind the scenes that can make an operating system a truely powerful tool.
    Anyhow.
    But if some does decide to take the leap from BigBox OS to something more powerful, that is where distributed linux comes in, and we have our fair share of them, all put together to make the experience joyful and pleasing to the new user. there is a reason it is so hard for a new *nix user to find the shell and access root in it, because these distros want to put that behind the scenes.
    Now, once this user has decided that he enjoys *nix more than BigBox OS he switches completely, and then comes the "hey, I can contribute to this" factor, where the user learns this and that, perl, some C, a few other things, yadda yadda yadda. Up until this point, the user has had no need to compile any system program from scratch. Anything he might compile he could easily install into $HOME/bin which would only allow malicious software to affect him personal, unless it is really malicious and I have only seen a few of those in the wild. Can you see where I am going with this? I hope so because I am tired of typing. hehehe

    that's just my view on the subject.
    Of course OSS has it's flaws, but most of them can be traced back and boild down to user ignorance. And I use ignorance not as an insult here but in it's factual meaning.

  9. #9
    Chairman of the Bored catatonic's Avatar
    Join Date
    May 2004
    Location
    St. Petersburg, FL
    My Bikes
    2004 Raleigh Talus, 2001 Motobecane Vent Noir (Custom build for heavy riders)
    Posts
    5,825
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    That's where downloading OSS apps from trusted sources only matters. Which is why I reccomend RedHat to all the corporate folks asking for Linux. It's hard to screw up the URL (www.redhat.com), and it has a good majority if not all the apps that are needed.

    Given there are a few other trusted sites, but sourceforge and the like can be tainted....so those sites are best used by folks who know what they are looking at.
    -------- __@
    ----- _`\<,_
    ---- (*)/ (*)
    ~~~~~~~~~~~~~~~~
    Ring Ring, Ring Ring, the bell went Ring Ring Ring.

  10. #10
    Banned.
    Join Date
    Jun 2006
    Location
    I've had enough.
    Posts
    898
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    RatHead...erm, RedHat is always a good one to point the corporate type towards. It has all the lingo and snazzy graphical stuff on the website that appeals to their sort.
    Personally I use debian when using linux and FreeBSD when not, but I'm partial since I spent years developing in the BSDi family and have been a Debian developer for quite a long time.

  11. #11
    Wood Licker Maelstrom's Avatar
    Join Date
    Apr 2002
    Location
    Whistler,BC
    My Bikes
    Transition Dirtbag, Kona Roast 2002 and specialized BMX
    Posts
    16,888
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by CrosseyedCrickt
    RatHead...erm, RedHat is always a good one to point the corporate type towards. It has all the lingo and snazzy graphical stuff on the website that appeals to their sort.
    Personally I use debian when using linux and FreeBSD when not, but I'm partial since I spent years developing in the BSDi family and have been a Debian developer for quite a long time.
    Ditto, to all parts. if and when I use linux its debian, freebsd for desktop type application server, open for appliances and net if I can't get anything else on the planet to work on the box.

  12. #12
    Banned.
    Join Date
    Jun 2006
    Location
    I've had enough.
    Posts
    898
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    heh
    'Of course it runs NetBSD'

    I wonder if that is still their catchphrase.
    My friend Jeremy once had a toaster with NetBSD installed. It was the worlds first "internet appliance", seriously!
    Though it didn't make toast anymore, it was just a webserver, but still...

  13. #13
    Wood Licker Maelstrom's Avatar
    Join Date
    Apr 2002
    Location
    Whistler,BC
    My Bikes
    Transition Dirtbag, Kona Roast 2002 and specialized BMX
    Posts
    16,888
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I don't know. I don't really track the hype around products. If I need something, I do a little research to figure out which of the bsd's suits my needs. The odd time, the restrictive nature of when they update apps pushes me to debian.

    The best thing I like about the bsd's is a sense of...community. Not quite the right word, but if you have a question, you can usually ask on a site and they don't come screaming at you with the typical *nix rhetoric RTFM you dumbass. I am not answering until you RTFM. While I appreciate the point, sometimes the manuals and hints don't quite fullfill my specific need, which requires a direct question. The bsd's seem to get that.

  14. #14
    Senior Member
    Join Date
    Aug 2006
    Posts
    998
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by TexasGuy
    Actually - this is a VERY VERY VERY VERY VERY VERY VERY VERY big problem with the open source community And yes this problem has happend. Somebody has either submtited malicious code and it's gotten unspotted for longer periods of time - or alternatively somebody can a) take the source, b) inject malicious code and then c) put up an unofficial mirror and get it ranked by google, link it etc- Such that people could go and use that maliciously modified code - and few people bother to double check md5s (and MD5 verification is very weak too because it can easily be circumvented) and guess what - You have businesss running an operating system they think is secure - but is not.


    So all joking aside, this is a big problem with the open source community and with companies that RELY on distributing open source products.
    I like having a "chain of custody" for my operating systems.

    You have hit the nail on the head here, and punched the sucker through the other side. One of the reasons I use RedHat/FC is that every RPM and ISO is gpg signed, so I have a positive chain of trust. I download the ISOs, verify the MD5 files on my Windows box with pgp, verify the ISOs against the MD5 files, and only then, do I burn them, and write on the CD/DVD label that they were checked.

    All RedHat RPMs come signed, where a RPM -K (or --checksig) will state that the file doesn't just have a valid MD5, but a valid gpg signature (which is far more important, as who knows if a mirror got broken into and files tampered with, something that does happen.)

    After the system is installed, and before it sees the network, I do two things. I fire up Tripwire to sign critical files, and I boot from a Knoppix CD (whose MD5 and gpg signatures I have checked, of course), do a find . -print|xargs md5sum, which provides another layer of change detection. The file is saved on a memory stick that offers hardware read-only (a "bobo switch) protection. Then, in the future if I'm concerned about something, I can run another md5sum check and see if there are any files that are really out of place.

    Note, this is not a 100% secure method. If the distribution owner's key gets compromised (or I got the key from a bad source where its fake), this method fails. If I don't keep track of updates that change critical files (bash, su, kernel, SUID root programs), I may have false positives.

    Once the system is installed, I have three methods now of checking for tampering. Tripwire firing off with a crontab, the RPM file database which stores checksums, permissions, and dates (which I can run a check, and see if anything is changed), and the memory stick with the large MD5 file listing.

    Windows automates this procedure in a number of ways. All vital Windows files are signed. With sfc.exe and sigverif.exe, I can check for any modified files or files which do not have a signature.

    One of my bigger beefs about both Windows and Linux ISVs -- people who have commercial products and do not sign their code they are distributing. If they can't afford a cryptographic signature from Verisign on the Windows side, a PGP key would suffice, provided it had a good web of trust. There is not much I can do with an unsigned .MSI or installation executable, as I have absolutely zero clue if it is actually what the vendor wrote, or if its just something with the same name that is malware. Even a self-signed signature stored in a secured directory on a SSL server would provide some form of trust.

    Microsoft has done one thing right -- I download a file, right click on it, click Digital Signatures, and click the sig... either it verifies, or it doesn't. RedHat too. I can run a rpm -K and pretty much be assured that some RPM came from who it said it was coming from.

    I just wish more vendors would do this.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •