[ale] Open Fire on Windows Viruses

Charles Shapiro hooterpincher at gmail.com
Fri Feb 19 09:59:03 EST 2010 

Aaron, you are a Hero and a Saint, and this could be a valuable start
on a pamphlet or web page. Here are some writing//grammar//style
points I picked up in a quick read.

The first sentence: "Just like avoiding contagious illness in the
physical world,
the best protections against computer infections involve
simple, common sense precautions. "  is subtly confusing.  I'm pretty
sure the "like" and the gerund ("avoiding") here is not quite right.
Maybe putting it in 2nd person is better: "Just as you avoid
contagious illness in the physical world, the best protections against
computer infections are simple, common-sense precautions".  Hmm.
"Avoiding contagious illness in the physical world is simple. So is
avoiding computer infection. You just need a few common sense
precautions."  Maybe you're packing too many ideas into one sentence.
Usually when I stumble over something like this as I read it I take it
as a signal that it should be broken up.

"Flipping this analogy affirms that" can go.  You already flip it in
the sentence. No need to point out what you're doing.

In the 2nd paragraph, "After the options of choosing.." can go in
favor of "After choosing".  Also, the usual usage is "software", not
"softwares". The same holds for the "softwares" in the 4th paragraph.

In the 5th paragraph, "publicly" is irrelevant. Publish implies
publicly.  Also you have a plural disagreement in " Further indicators
that a true Open Source program is trustworthy is when . . ."
I think you mean "are that" here. The same problem is in paragraph 6,
at "The increasing numbers
of interactive features on the internet has spawned a"  I think that
"number" should be singular, so it should read "The increasing number
of interactive features on the internet has spawned...". You could
make the case that it should read "The increasing numbers of
interactive features on the internet have spawned..."

The phrase "intentional vulnerabilities being intentionally built into
commercial computer products." needs to lose one "intentional".


If you've read this far, you're **really** khoul. And I think this is
a Great Thing, don't get me wrong.

-- CHS



On Thu, Feb 18, 2010 at 9:27 PM, Michael B. Trausch <mike at trausch.us> wrote:
> So, before you read my reply below, I have just some minor commentary on
> your writing.  I'd suggest capitalizing "Internet" when referring to
> _the_ Internet, since it is a proper noun.  I would also suggest not
> capitalizing things that are not proper nouns (such as "operating
> system").  As far as other non-proper nouns go, if you want to emphasize
> them, do, but don't do it with initial caps because it doesn't quite
> read the way you'd expect when you're just coming to the topic.  If
> every Important Concept (hah, see what I did there? ;-)) were
> capitalized, it gets to be a bit difficult to read or gives the
> appearance of obvious bias, instead of nudging the reader in the
> intended direction.
>
> Those are just my 2¢ there.  More follows, though.
>
> On 02/18/2010 05:13 PM, arxaaron wrote:
>> I try to
>> address Mike's other critiques by clarifying that the
>> issues being addressed by Open Source and Free
>> and Freedom Friendly Software are practical and self
>> evident levels of trust WORTHINESS, and not an
>> expectation absolute or automatic "TRUST".  As a
>> general rule, I think any exchange of goods or services
>> will be more Worthy of Trust the further that ulterior
>> motives of greed and secrecy are removed from the
>> transaction.
>
> I was able to finally remember what I was trying to say the other night.
>  The notion of trust and the whole discussion had me thinking that I
> had read something on it a while back.  Indeed, it was Ken Thompson's
> Turing Award lecture, "Reflections on Trusting Trust".
>
> In particular, he says, "You can't trust code that you did not totally
> create yourself.  (Especially code from companies that employ people
> like me.)  No amount of source-level verification or scrutiny will
> protect you from using untrusted code."
>
> In this passage, what he is discussing is the C compiler that he rigged
> such that, when fed the non-rigged compiler source code, the temporary
> rigged compiler would generate a compiler that was also rigged.  It
> would also bug the system's login program such that it would accept a
> backdoor password for any valid system login.  It also rigged the
> disassembler such that looking for these issues would result in the
> affected code blocks being hidden.
>
> He also makes the statement just under the title on the paper, "Perhaps
> it is more important to trust the people who wrote the software."  This
> brings me back to the argument that I think I made somewhat
> ineffectively.  In order to trust, say, GNOME, you would not only have
> to be aware of every line of code written that is itself GNOME, but you
> have to know and trust the people that put their time and effort into
> GNOME, a good majority of the GNU stack (including GCC and its 9.5+
> million lines of source code and the GNU libc 1+ million lines of source
> code), the Linux kernel (8.2+ million lines of source code), and the
> firmware and hardware on the computer system that you are running.
>
> I'm not sure that I trust everything in the stack all that terribly
> wonderfully.  I cannot say with any level of certainty, for example,
> that there is not something in my computer's firmware that logs my
> keystrokes and sends them off somewhere when it sees IP traffic going
> through my network interfaces.  After all, it's entirely within the
> realm of possibility, and the ROM BIOS in this system has enough space
> to have code that does that, in my estimation.
>
> Then again, I don't know that I can trust any of the software components
> I mentioned above, just because they are so large.  I won't go to the
> trouble to try to figure out just what all of GNOME and its dependencies
> on a GNU/Linux system are, but already I've enumerated about 18.7+
> million lines of source code.  If I could read 1 KLOC per day, it would
> take me 18,700 days to audit all of it.  And I haven't even mentioned
> any of the base source packages that make GNU/Linux UNIX-like, nor am I
> including misc. additional dependencies of the Linux kernel, or any of that.
>
> Do I trust it enough to use it?  Sure.  Do I make any sort of assumption
> that any of my data is truly private?  No.  If I wanted data to be
> *truly* private, I would not store it in a computer system at all, even
> encrypted, unless that computer system _never_ had outbound
> communication via any medium.  To my knowledge, it's the only way that
> one can be absolutely sure that a system isn't rigged in the way that
> Thompson rigged his C compiler and it's subsequent compiled output.
> Because after all, having the source is pretty much irrelevant (at least
> when it comes to this).
>
> Now, should this whole mail have any influence on what you write?
> Probably not.  These are pretty in-depth issues that most people---at
> least most people that I know---have less than zero interest in thinking
> about.
>
>        --- Mike
>
> --
> Michael B. Trausch                                    ☎ (404) 492-6475
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>

More information about the Ale mailing list