Is GNUCASH, in fact, unsafe....

Robert Heller heller at deepsoft.com
Thu Nov 10 08:00:27 EST 2011 

At Thu, 10 Nov 2011 07:34:58 -0500 stepbystepfarm at mtdata.com wrote:

> 
> 
> >Avast used to complain about ,,,,,,
> >
> Our virus checkers will either fail to detect some viruses or give us 
> some false positives or both. This isn't because they aren't good enough 
> but because it is IMPOSSIBLE to have a program that can check the code 
> of any other program (a "universal checker") to determine the runtime 
> behavior of that code and be 100% correct in doing that. The behavior in 
> this case being "acts like a virus" but in the original statement of 
> what is known as the fundamental theorem of computation it was "loops". 
> You prove it in the same way.

I believe most *practical* virus checkers look for 'code signatures',
that is known patterns of machine code.  They have a database of these
signatures (code patterns) and do some sort of byte comparison.  Again,
there are all sorts of uncertainities here also -- eg possiblities for
both missed viruses or false positives.

The only 100% certain check is to download the *source code*, go over it
with a fine tooth comb and compile it yourself.  But for most people
this is not practical.  Downloading the code from a *trusted* source and
running a CRC type check (eg md5sum) is a close runner up.

In my case, since I run Linux (centos), I use yum to install from the
EPEL repository.  Yum does a signature check on the RPMs (package files)
to verify that the packages have not been messed with or something. Oh,
and running Linux avoids the whole virus thing in general.

> 
> Assume that there was such a universal checker. You can think of it as a 
> function V(p) that returns 1 if p will act like a virus and 0 if p will 
> not act like a virus. Then construct the simple program P
>    If V(p) then halt
>      else "act like a virus"
> 
> What is the result of trying to check P? In other words, what is the 
> result of  V(P)
> 
> See? This supposedly always correct virus checker gets P wrong.  So it 
> can't exist.
> 
> Michael
> 
> PS: While almost any Computer Science person knows this theorem (and who 
> first proved it) do not feel bad because you didn't. In the large shop 
> where I worked for three decades I bet less than 2% of my co-workers 
> did. Information Technology people are not the same as Computer Science 
> people and besides, most of us had undergraduate degrees unrelated to 
> either. Mine was Physics.
> 
> 
> _______________________________________________
> gnucash-user mailing list
> gnucash-user at gnucash.org
> https://lists.gnucash.org/mailman/listinfo/gnucash-user
> -----
> Please remember to CC this list on all your replies.
> You can do this by using Reply-To-List or Reply-All.
> 
>                                                                   

-- 
Robert Heller             -- 978-544-6933 / heller at deepsoft.com
Deepwoods Software        -- http://www.deepsoft.com/
()  ascii ribbon campaign -- against html e-mail
/\  www.asciiribbon.org   -- against proprietary attachments

More information about the gnucash-user mailing list