I still use nedit, thought it hasn't had any decent upgrade in years. Nonmodal (modal is why I don't like vi/vim), simple, easy to hack regex based syntax highlighting (though that can be tripped up sometimes - I'm looking at you Perl), simple enough to get out of your way (I'm looking at you emacs), and fast with no lag (I'm looking at you jEdit).

The title and the first couple lines with all the acronyms and Im pretty sure we just saw the output of a Turing test...

My understanding of this.. read only only mitigates part of this.

The simple part:

So, you plug something in. It gets an enumerate request. It replies back "Howdy, i'm a USB mass storage device (a.k.a hard drive)".. Ok cool, i mount you read only. But then the stick says "Oh BTW, im also a keyboard". This is where you get hosed. Read only, disabled autoplay, doesn't help you as much as you want.

The "keyboard" can then send keystrokes to your machine. There are probably some things you can do with this without raising suspicion.

The next level:

So you plug something in. Your device is evil, and it knows some bugs in some Host Controller firmware.

The OS tries to enumerate the device. The evil device knows how to send packets that then pwn the host controller. It rejigs the firmware. This is now screwed. This is under the OS, under any device driver even. You are now pwned. Your host controller now can be used to lie about files coming from disk, or lie about keyboard, or siphon things off.

All this before it even figures out that this is supposed to be a mass storage device, much less read only.

This is wickedly clever.

I sorta second the "marketing purposes" asking for ZIP.

You can usually refuse this, and besides that, about 50% of the time they ask you for zip after the transaction has gone through anyway. They can read Track 1 of your card, which includes your name. Name + zip is a decent proxy for unique ID, and Axciom probably has your name anyway.

Why so? Not doubting you, just wondering your reasoning...

Also, turning off this behavior - plugging a phone into a computer, pressing "OK" without any authentication allows siphoning - is pretty hard to do. You need to download a wonky piece of software called Apple Configurator to do this. It's usually for corporate/educational bulk deployments, and the UI shows this.

Hmm, like the AC joke below, I'm a bit torn when you said "Security Expert" for Steve Gibson. Aside from prodigious self promotion, as far as actual security talent, Steve's both good and bad. I may listen to this one, because this one is more in his wheelhouse - specifically describe in easier terms a complicated subject previously researched and digested by someone else.

He's much less useful when making declarations of what to do - he's too enamored of assembly (which can lead to more security holes - there are no checks or restrictions in Assembly as in say, C#, Java, or even C++), he keeps on talking about that he won't move off of XP (and implies that it's safe for others to do so).

Stallman is crazy. Even crazy people can be right about a few things here and there, but overall he's a zealot. The jokes goes "even a stopped watch is right a couple times a day - though you need a second working watch to see when."

The Hurd has been under development since 1983. Three decades, and still not a stable version? When he started the HURD we didn't have the web, nor the Internet. If we waited for Stallman to actually ship, we would have lost out on a lot (both good and bad, but mostly good).

The issue with Stallman is where do you stop? OK, so now you have an OS totally under your control (well maybe, but lets pretend yes). Now, the hardware! OK, rewrite the BIOS/OpenFirmware. Now you're under control! No, there may be stuff in the chips.... lets go grab some sand.

Soon enough, you either have to say you write everything (and this is the mess you get from making your own toaster) or just realize you need to have faith in some companies you may or may not want to trust.

My point is - part of the security of a LiveCD is the fact it's a Read Only medium. Malware can't write to it.. But it also means you can't update buggy code. What if my LiveCD has Heartbleed?

The AC who commented "burn a new one" doesn't know how most distros do things, which is not to create a new CD image every time a package changes. The CD image is current on Day 1, and deviates from the true distro starting possibly on Day 2. Unless you only use the CD Image on release days, you'll always be slightly behind on (at least some) packages.

Yes yes, i know part of the point of a USB stick is a controlled Distro where you know the current state of all things on it. But, it still has issues with Zero Days. Lets say there's a Zero day, and I write to your USB stick. Now you're compromised, with a false sense of security. Do people drop to "single user with networking" on their USB sticks, do updates, then run in multi-user with parts of the file system read-only?

When I heard the Learn’d Astronomer

WHEN I heard the learn’d astronomer;
When the proofs, the figures, were ranged in columns before me;
When I was shown the charts and the diagrams, to add, divide, and measure them;
When I, sitting, heard the astronomer, where he lectured with much applause in the lecture-room,
How soon, unaccountable, I became tired and sick;
Till rising and gliding out, I wander’d off by myself,
In the mystical moist night-air, and from time to time,
Look’d up in perfect silence at the stars.

Sometimes it sucks when your hobby becomes your profession. But it doesn't have to stop being your hobby.

part of my nostalgia for coding on the C64 is how you felt you could know everything about the box. There was a book, Mapping the C64 and C64C. that told you about every single address on the computer. You felt you could get everything done with some pokes and peeks, or some machine language. (LDA anyone?).

Now, you can do more, but you don't feel you can push to the envelope of the hardware. How many classes does java add every release cycle? How often does CPAN turn over?

I think im not the only one with that nostalgia.. there's an offer on that book for >700 dollars. I lost mine over the course of several moves during College days.

Im stealing your signature...

Not a troll, but how do you get updates on a LiveCD? a good safe distro would not only update bad code easily, but also prevent whatever malware gets in from writing to local disc. What to do?

Process is now taking about four months on average, and costs
about $1,000, so LE is looking for streamlined / inexpensive
tools to collect evidence.

Part of the protection against tyranny isn't the gun, but simply that certain law enforcement has certain costs. Part of it is red tape - a warrant sticks some glue in the process, slows it down. Part of it is monetary costs. In the 1970's wire taps cost a lot.

These costs force some filtering of resources. You can't just go after everyone, you need to be somewhat efficient with resources. It doesn't eliminate bad actors, but it makes the consequences more intense.

Part of what the NSA is doing, they can do because the surveillance is so cheap. If it cost them 1000 a person, then just in America it would cost them 350 Billion a year to spy. The world would cost 7 Trillion. We can't afford that, only that surveillance is (too) cheap does mass surveillance make sense.

Troll feeding time...

Why is it that government can never do anything right, well, unless it's the army, then it can do no wrong. Somehow if there's a bullet involved, government becomes perfect. Try to feed a kid, whoa, that can never work.

Oh, and if the government tries something and doesn't work, that's proof that government sucks. But if it does something, and can compete with private business, hey that's government being mean, and there's some law to prevent it. Government sucks by attrition - anything that works that works better than private industry is killed and all you see are the things that don't work.

Anyways, Google started using the university network, using students educated at Stanford, using an operating system partially developed at a University, using a networking protocol developed at a University from ideas originally from a government institution. The original hardware included a Sun, again developed at Stanford. They used the web, which was started as a non-business thing, a bunch of CERN guys wanted to push physics research papers around. The first web didn't have much commerce on it, it was the NCSA webserver (NCSA from the University of Illinois - a public land grant institution) and NCSA Mosaic that popularized it before any company went on.

Yet, you'd say none of that matters. It's very easy to win arguments by definition. Im sure you'd say "but none of that HELPED them" and just dismiss it.