Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> do we know some rogue process isnt vacuuming up your keystrokes?

The standard for holding a belief isn't "can you prove it is not so?", but "on the balance of evidence, is it likely to be so?".

If you believe everything you can't disprove, you'll hold an awful lot of bizarre and contradictory beliefs.

In the past I have spent some time believing some things simply because I couldn't disprove them, it is not good for the soul.



I think that was also the common approach to paranoia about your privacy pre-Snowden. But he kind of ended that discussion for many, although denial or ignorance is probably better for your soul indeed.


He didn't end the discussion, he presented evidence. When you receive updated evidence you should update your beliefs.

He presented good evidence that big corporations are co-operating with the NSA, or something, but he didn't present any evidence at all that regular Linux distros are monitoring all your keystrokes. As far as I know.


To just wildly speculate about mass surveillance without evidence is just baseless conspiracy theories, you really have nothing to worry about. Hope that helps.


> The standard for holding a belief isn't "can you prove it is not so?", but "on the balance of evidence, is it likely to be so?".

IANAP, but I don't think everyone agrees with that framing. Epistemology is a big topic.


On a related note, not believing some things because you cannot prove them is a road to naivety.

For me personally, based on the plethora of evidence given by other online platforms and applications, I think it's perfectly sane to assume that yes, your data is being slurped and logged. Maybe that's not a bad thing, maybe it is, but at this point I think that ship has sailed.

Can I prove it? No, mostly because the manufacturers have specifically designed it in such a way to be unprovable.


> based on the plethora of evidence

Yep, this is fine.

I'm not saying "don't believe anything you can't prove". I'm saying "don't believe everything you can't disprove".

Believe based on evidence, as you appear to be doing.

Windows is spying on your use of System Settings? Good evidence.

Linux process is spying on your keystrokes? No evidence.


The fact that our currently popular operating systems don't enable users to trivially 'disprove' such possibilities really shows how shitty they all are


What is a way in which you could disprove this?

How could you disprove that the Ubuntu ISO doesn’t do the same thing?


Well apart from monitoring network traffic, with Ubuntu you can examine the source code for anything that you don't trust or dive into what system calls an application makes by using "strace".


How is this different for Windows? Can’t you monitor Windows network traffic as well?

Does Ubuntu provide reproducible builds? How do you disprove that the source code isn’t for the thing that you’re downloading?

The (not so) revealing thing here is that this isn’t a technical problem, but that Microsoft has just completely lost the trust of people.


Well you can try monitoring Windows network connections, but Microsoft do seem to love obfuscating it with connections to multiple different domains that they own.

You can't even look at the Windows source code, so your question about reproducible builds seems to be moving the goalposts somewhat.

Also, is there something like "strace" on Windows?

Edit: just looked it up and Ubuntu doesn't enforce reproducible builds, although with their new "Monthly Snapshots", Canonical is moving towards reproducible build pipelines.


What is Ubuntu's source code worth for when you download precompiled binaries without checking if they were built with that source code?


That's your choice to do that and depending on your threat model, you may have some level of trust in Canonical to not screw over their customers.


I asked my original question very deliberately.

At the end of the day, it’s just about trust and reputation. I see no technical difference here for the ability to disprove random claims.


The necessary technical and UI/UX difference would be capability-based (https://en.wikipedia.org/wiki/Capability-based_security) microkernels like Sel4 or Genode combined with high level user interfaces that allow one to monitor and control the rights and actual resource access and usage of programs


However, it is possible to audit the Ubuntu software against the source code which is something that you cannot do with Windows. That is a technical difference even if you don't acknowledge it.

Also, Linux does make it much easier to determine your level of trust as the different components can be analysed/verified independently (although systemd is a bit of a monolith) whereas it's a lot trickier to isolate Windows components.


even without reproducible builds, you (or someone you hire or someone who's motivated) can get the source and create a drop-in replacement.

This is even more true on some other distros, eg Gentoo.

Without source and rights, Windows fails completely here.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: