This is a lose-lose scenario. If you don't trust a closed operating system in the first place, why would you then, after performing these steps, trust the system that it really does what it says it does. The point is that you don't know, and you can never be sure. The solution is to either trust or not, switch or stay, there is no middle path, because any middle path implies some amount of non-trust.
> This is a lose-lose scenario. If you don't trust a closed operating system in the first place
I don't trust open systems either. I don't have the time to audit them. If I did, I wouldn't trust myself to catch everything. I don't trust "enough eyes make all bugs shallow" either.
Case in point: Canonical written "features" in Ubuntu, and OpenSSL bugs in general.
> why would you then, after performing these steps, trust the system that it really does what it says it does.
Don't trust: verify with wireshark? Alternatively, trust the people who wrote this to have run wireshark. Alternatively, "Trust but verify."
I generally trust Microsoft and FOSS to not be actively malicious on their own behalf.
I trust neither Microsoft nor FOSS to do their privacy due diligence, write perfect software, to be free of capitalistic or engineering pressure to add privacy harming features, nor to be free from subversion by state actors (NSA etc.)
What's your superior counter-proposal, under these conditions?
> The point is that you don't know, and you can never be sure.
Fundamental truth of computing, not "windows 10". I can't even trust the code I write myself to be free of security or privacy issues due to my own mistakes or lack of consideration.
> The solution is to either trust or not, switch or stay, there is no middle path, because any middle path implies some amount of non-trust.
I reject the thesis that trust is binary. Were I to accept it, I trust nobody - everyone is vulnerable to being subverted by blackmail, intimidation, making mistakes, etc.
Trust of system is also not the only factor influencing my use of a system. I trust a deeply buried cement brick more than any computer, but I can't use the web with it. I have very different trust needs for my bank servers, my workstation, my catstation, and my gaming console.
You are making an apples and oranges comparison. On the one hand you have something that theoretically (and sometimes provably) is checked by people besides the project maintainers. You are absolutely right, but even taken your framing OSS OSs are orders (yes, plural) of magnitude more trustworthy than even older versions of Windows than 10. The privacy violations in 10 are large enough to make the system unusable by anyone that works with sensitive data (be it code, medical records, personal information, proprietary information etc).
Oh come on. Canonical did not hide what they were doing, and enabled an option to disable it in the first place. You could try finding better examples than that.
Did Microsoft? This is news to me if so, and I'd be interested in reading up on any sources for this you might have.
> and enabled an option to disable it in the first place.
Microsoft added several options to disable things. While I certainly agree that those options have some gaps and/or are outright bugged, I'm not convinced there's any difference in intent or motivation, which is the bigger factor to me when it comes to trust of character.
> I generally trust Microsoft and FOSS to not be actively malicious on their own behalf.
Yup, I completely agree. I trust both of them.
But I don't trust third-party programs made for Windows because I always have to un-check something just to not get some junk program attached to its installation. I've never encountered with a single such request since I made the switch to Linux two or three years ago.
While there are serious issues with Canonical, Mozilla, and other people in the "open source" community[1], there is a huge difference in both magnitude and intent between the problems with Canonical/Mozilla and what Microsoft is doing in Windows 10.
[1] That's one of the reasons some of us promote Free Software instead of Open Source.
I reject the thesis that trust is binary. Were I to accept it, I trust nobody - everyone is vulnerable to being subverted by blackmail, intimidation, making mistakes, etc.
You seem to be using a different definition of the word trust than I did. Everyone is vulnerable, does that mean you cannot trust anyone? No, you certainly can, that is the whole point of trust.
It's not my intent to. I'd ask that you clarify exactly how I have, if I have.
>> I reject the thesis that trust is binary. Were I to accept it, I trust nobody - everyone is vulnerable to being subverted by blackmail, intimidation, making mistakes, etc.
> You seem to be using a different definition of the word trust than I did.
Did any of the earlier discussion about what I do and don't trust Microsoft & FOSS with seem on the right track?
> Everyone is vulnerable, does that mean you cannot trust anyone?
It means I cannot trust in an absolute, binary fashion, of 100% certainty that it will not be misplaced. I can only trust that they'll probably do the right thing (tm).
> No, you certainly can, that is the whole point of trust.
EDIT: Added context now that new lines have shown up. Also added replies.
i use linux for my personal things, but this is not a very good argument for most people. wouldn't you trade 1 in 100 chance of the spying affecting you for a much more usable OS? Some people i know get Non-metaphorical headaches from trying yo get computer things to work.
Even people who are power users can only use Windows for games and some enterprise apps.
So you either don't use a computer at all or use Windows and sometimes OSX.
IMO Linux (specifically fedora with GNOME) is a much more usable OS than either Windows or OS X. You could argue that this isn't true for the average user, but my parents have no problem with it and neither do any of my nephews and nieces.
I could see some people needing office software, but the average user really can get by with LibreOffice.
A lot of those solutions have been around for centuries but are quite impractical. The problems are often the required operational tolerances, wear rate, poor torque characteristics and other real life issues.
Someone else made an animation of this in r/mechanicalgifs not long ago, and people brought up the same objection. It turns out, though, that you can buy angled screwdrivers using this mechanism, and they work pretty well.
This is a common problem in C. Integer types are inherently type unsafe and are silently promoted with many different rules which are hard to remember and understand. As is seen in this case, even the ( borderline paranoid ) flag -Wconversion would not catch the bug.
I think this problem in C would be solved with a single flag: -Wwarn-if-using-integers-of-different-types-in-an-operation , forcing you to cast the integer if the types don't match in a arithmetic operation, or an assignment.
Because no truncation happens. In this case [] operator doesn't specify any type, only that the expression inside is an integer expression. While normally the type size_t is used for object and array sizes, [] takes any integer expression and the compiler won't complain.
uint8_t *buffer = new (std::nothrow) uint8_t[size + chunk_size];
size + chunk_size is clearly unsafe to truncate to 32 bits, but it truncates anyway. When I say 'inside the new operator' I'm including the allocation function. Something truncates it. If it actually allocated 8GB, or failed to allocate 8GB, there would be no exploit.
Apparently new is a "special" operator, or there is a bug in the compiler. I also can't get a warning with g++.
The problem seems to be that, as I said, [] takes any integer expression, it is there where the value gets truncated when operator sizeof or new is applied on it since they either return or take a size_t value.
Can you also fake/spoof the appropriate signatures/headers? Otherwise separating that data is going to be very easy. Unless you do it on a higher level like emulating input, but then you won't have a very useful machine.
In comparison to OSX and Windows running on the same hardware, Ubuntu is worse in every meaningful way. Power management is terrible, window management is terrible, the Ubuntu software center is slow as hell and has no selection (amount of useful software is a huge concern, actually). It lacks polish in general, things that people have come to take for granted in their OSs are missing or badly implemented.
I'm sure the argument will come that most home users only need a web browser, so the software selection isn't a problem, but at that point you might as well just use Chrome OS and get something that actually works.
Windows 10 seems to transmit information to the server even when OneDrive is disabled and logins are using a local account that isn't connected to a Microsoft Account.
Well there you go. If you ever wondered whether this is happening only on the Microsoft Account(tm).
