Slashdot Mirror
Security Holes Draw Linux Developers' Ire
jd writes "In what looks to be a split that could potentially undermine efforts to assure people that Linux is secure and stable, the developers of the GRSecurity kit and RSBAC are getting increasingly angry over security holes in Linux and the design of the Linux Security Modules. LWN has published a short article by Brad Spengler, the guy behind GRSecurity and it has stoked up a fierce storm, with claims of critical patches being ignored, good security practices being ignored for political reasons, etc. Regardless of the merits of the case by either side, this needs to be aired and examined before it becomes more of a problem. Especially in light of the recent kernel vulnerability debated on Slashdot."
Given that I'm getting lousy uptimes on my Linux servers because of the mandatory kernel upgrades, I certainly welcome a (constructive) critical look at Linux kernel security.
see a Text Widget
Please, Slashdot, do not feed such trolls : I have yet to hear abuot some decently setup Linux server that would be *that* insecure.
Trolling using another account since 2005.
but I don't really see much counterpoint. Anyone have URLs for where this has been discussed in some more depth?
Chris "Ng" Jones
cmsj@tenshu.net
www.tenshu.net
Is this mob anything like Gibson Research?
For our sakes I hope not...
It's interesting to note that this comes out so recently after Linus was named one of ITs best managers. Lord knows he'd have to be to keep so many disgruntled people quelled. In the followup, somebody was citing as an excuse that Linus is one person and that there's only 24 hours in the day, so maybe some patches get missed. I was wondering, with all of the people he delegates to, isn't there somebody who handles all the security issues? Scroll down the LWN article, and somebody mentions that he needs a Kernel Security Officer, with no follow-up. Does Linus not have one of these guys yet?
The trade off between security versus usability/accessability begins?
Will Linux strike the perfect balance? Will Linux be taken over by a lunatic like Theo and go the OpenBSD route? Will Linux lose it's viginity to Windows and become a security nightmare? Stay tuned! All this and more on the next episode of OS wars!
ok it has some problems that need to be worked out... but what are the alternatives... is this story meant to cause people to say "OMG M$ was right better contact my local sales rep" or is the community slacking???
All the torrents you could want.
There are other unix implimentations out there. Few of them suck as badly as linux does. Try one.
...oh, wait - I AM running Novell Linux. Oops. Um, I should tehn run and hide in a closet?
Maybe I should implement security measures and have a good backup system?
Nah!
This kind of reminds me about all the people telling me you could die while driving a car - no s---, Sherlock! Use common sense.
The Kai's Semi-Updated Website Thingy
i wouldn't say linux sucks, quite the contrary unix may be a viable choice in some situations but the flexability of linux is probably its greatest asset... being able to use the same distribution for your server, laptop, and desktop with various different configs is something that is quite admirable
All the torrents you could want.
There are tons of services that you can't just pop a couple machines together and tada, they are loadbalanced. Just because its easy for simple things like http and smtp, doesn't mean its easy for everything.
For years now people have been carrying the Linux flag due to the fact that its "more secure then windows"... guess what people.. time for being an unknown, unpopular OS is at hand... welcome to being known.
I use the same OS for my laptop and my servers. I can't use anything but windows for my desktop since its for games. I would have the exact same situation if I used linux, only worse reliability and security, and constant upgrade hassles. KDE, or gnome, or xfce, or whatever you want works on unix in general, not just linux.
Backups and non-specific "security measures" won't stop you from getting 0wn3d because of kernel holes. And don't dismiss local root exploits because you don't give out accounts. Tons of linux software is full of holes, and people don't care about those because "it doesn't run as root". Its easy to put the 2 together.
Do you mean Solaris with still has rpc bugs even though they have been fixed several times.
Their new svc stuff is great too since if you can hack the one file you can keep running external services and the sysadmin will never know. Nothing like binary files that are always getting rewritten that can be hacked. Thanks to the sun guys for replacing init with something more stupid than the windows registry.
3 weeks is a sufficient amount of time to be able to expect even a reply about a given vulnerability. A patch for the vulnerability was attached to the mails, and in the PaX team's mails, a working exploit as well. Private notification of vulnerabilities is a privilege, and when that privilege is abused by not responding promptly, it deserves to be revoked.
If that account is accurate this incident at best indicates bad process and ineptitude thought to be exclusive to large corporate vendors.
FreeBSD, OpenBSD, NetBSD, OSX, AIX, Solaris, Tru64 and Irix all suck less than linux. Unixware and HP-UX suck more than linux. I am sure there are others I have not used.
Maybe it's time everybody get off of their OS Religious High Horse and finally admited that an OS is only as stable and secure as the user who is administering it.
My Windows XP machine is solid and secure. My FreeBSD machine is solid and secure. My Windows ME machine -- well -- it runs, and it's quarenteened so I suppose in some ways it's secure.
Right now I'm installing Gentoo on a box so I'm going to see where this goes, but I am going into it with full realization that no OS is perfect, nor is it perfectly secure. This means that I'm going to take security as seriously with this machine as I do the rest of them.
Having the source to an OS doesn't make it more secure if you don't read (or understand) every line of it.
Why people think OSS is automatically more secure is something I never have really understood. There is some added comfort in knowing that most holes will be discovered and fixed promptly, but even that is an assumption one shouldn't bank on.
"Everything you know is wrong. (And stupid.)"
Moderation Totals: Wrong=2, Stupid=3, Total=5.
Grsecurity guys (Brad and the pax guy mostly) are dead serious. They have been researching their areas of memory management, protection and secure code for years. They really do know it pretty much all. For instance the "AMD NX protection!!!!" that the Redhat raved about was copied from Pax. (Without even crediting properly.)
They are just the sort of real gurus that can spot new vulnerabilities from code and exploit them in a matter of minutes. When Grsecurity was having serious funding problems last summer Brad was forced to sell new vulnerabilities from Linux kernel code to unmentioned blackhat companies. (Those do exist, believe me. They are doing commercial intelligence, stealing trade secrets with the knownledge..)
Those guys are technically brilliant, years ahead of what Linux stock kernel has in security features. They are just a bit arrogant and bad with people. Also at the same moment the upstream kernel developers don't like being told that their stuff is complete crap on some area. They downplay it, ignore and use the "whoareyou,Iamthekerneldeveloper,youknownothing" tactic.
Grsecurity guys could absolutely smash LSM by showing the vulnerabilities they are talking about as pocs. They are just a bit too disgusted and pissed off. There are several other areas like the exec_shield (that *is* atm getting to upstream kernel) that have big faults as well...
They could prove their other points as well.. But it would be moot since they ARE correct in any case.
So when does "better security" mean "100% unbreakable". Lets face the facts here, Linux is great but it does have leaks. Does that mean I'm worried about it...not really. Why?, cause there is community that works to help patch such things. Better to fix an issue than know about it and leave it be *cough*microsoft*cough*.
Linux is the contender for replacing Windows on servers. Windows gives a notoriously low standard of security, which companies are still willing to pour $$$ into. Even Linux's bad security is good in comparison. Coupled with hardware firewalls, I feel completely confident leaving my Linux server accessible by a Wireless network.
Are there any distros out that include GRSecurity? I use it on all my 2.4 kernel boxes with great success and just started using it on production 2.6 systems. Overall, I find it to be very stable, and a very worth while extra layer of protection even without using the role based ACLs.
---- join dshield.org Distributed Intrusion Detec
I wouldn't be surprised if Linux is less secure than the NT kernel. NT has much finer grained access control than Linux (although not if you include SELinux), and I haven't heard anything about kernel exploits in Windows for a while (although this may be because I haven't been paying attention). The problem with Windows is all of the cruft on top of the kernel that doesn't need to be run with administrator privileges, but is, and is full of security holes.
I am TheRaven on Soylent News
emerge sys-kernel/grsec-sources
The fact that it doesn't even show up in bugzilla makes me think it's still under embargo for some reason. Shouldn't the leak be sufficient reason to change their timeline? For those of us running production servers, this waiting game is more than a little inconvenient.
On a side note, from what I've seen, the exploit has only been demonstrated on uniprocessor 2.4 kernels. Anyone get it to work on an SMP kernel, or a 2.6 kernel?
With 2.6 there seems to be a bad trend towards far too much politics in the kernel. The cdrecord problems and reiser4 business (did that ever get sorted out?) together with the IMO stupid policy of putting new features in the stable branch (making deciding whether a feature can be added much harder, since it needs to be that much more stable and necessary before it can be added, but often you can't prove it's necessary without having some kernel branch running with it in) all smack of too much politics. Why can't people just concentrate on making the best kernel possible?
I am trolling
Long-time shell-provider SDF used Linux
Now, it's a 64-bit version of NetBSD.
OpenBSD claims:
"Only one remote hole in the default install,
in more than 8 years!"
Why not start with a core built for security,
- ie, rather than one built for popularity?
My two cents...
According to LWN the advisories were sent to Linus Torvalds and Andrew Morton themselves. I'll admit that I don't know jack about the inner-workings of Linux Kernel development, but one would think that something of that nature would go out to the person in charge of security related issues or even out to the distributions to get a fix circulating. I could be dead wrong and maybe Linus is just the only guy running the show and decides when he'll spend some of his time patching the kernel. This also seems as a sort of public way of the author expressing his disdain towards Linux security and as a sort of publicity for his own system. Maybe I'm just too much of a cynic, but things aren't all they are cracked up to be. Please note that I am not saying that there isn't some sort of responsibility there, but that this seems overly hostile.
Steal This Sig
Though LSM can be disabled in the vanilla kernel to allow the system to work functionally as it did in 2.4, all linux distributions will most likely be enabling it in their kernels. The mere existence of a security framework is not going to urge more users to use Trusted OS components in their kernels.
I was just cruising down through the article, until I came across this one.
Alan Cox has applied the patches to his tree: Google linux.kernel archive.
So maybe being obnoxious has got GRSecurity some attention.
Pirate Party UK
So ... rather than ask on the mailing list who is the best person for security submissions relating to whatever bug he found, he emails the top dude (during Christmas holidays no less) and then whines when no answer is forthcoming within his preferred timeline. Gimme a break!
As a total noob, I went to kernel,org and found this on the first page:n g-bugs.html if you want to report a Linux kernel bug.
Please see http://www.kernel.org/pub/linux/docs/lkml/reporti
http://www.tux.org/lkml/#ss5 explains why XX doesn't answer emails - too fricking busy is the usual reason.
If I were concerned about publishing the bug, I would have asked ON THE LKML LIST for who would be the best person to submit security-related bug and patch to for the XX module.
Anagram("United States of America") == "Dine out, taste a Mac, fries"
I read somewhere that NT 4.0 was certified Dept of Defense Secure Platform.... but only if you didn't connect it to a network.
What would you recommend, given that Fedora Core is where all the SELinux development (you know, the stuff the NSA did?) is going on at the moment?
Fine grain control != more secure.
Fine grain control doesn't realy have much to do with the kernel.
What SELinux is is Mandatory Access Controls. Or MAC
What the standard Unix (and Windows) model is discretionary access control.
What this means is that your access is based on your UID and GUID. If you have permission or not to access a file.
Mandatory Access control allows you to control access based on BEHAVIOR and other criteria.
So say your a idiot and run Apache webserver as root. If your Apache server gets attacked and successfully comprimised then if you only have DAC permissions then your system is laid wide open for attackers.
If you do the same thing with a MAC setup then even if they comprimise Apache and get root then they still can't do jack shit because you have the Apache proccess setup to only allow certain behaviors nessicary to operate itself all else access is denied and it doesn't matter if you have a UID of 0.
You can set it up so that if you log in as root thru SSH you have different access controls then when you log in thru a local virtual console or use SU to obtain it.
Windows doesn't have anything that comes close to this sort of thing.
As for the ACL's that Windows uses, Linux has those in the form of Posix-compatable ACLs.
Most distros support this, but it's disabled by default.
Why?
because it's not needed. Finer grain = more likely to fuck up.
90% of the time when a person thinks they need it, they simply aren't being creative enough to figure out a better solution.
If your smart enough to get to the point were you realy need it then you know out to turn it on, and it's very simple. Basicly it amounts to a -o remount and a couple other options.
Fedora Core3 uses SELinux by default. The Gsecurity complaints about the LSM is misguided and obsolete, it already has been used to allow things like low-latency sound server JACK setup for audio workstations and other purposes that wouldn't be possible.
This article is CRAP. It's a troll pure and simple and a way to stir up bullshit.
Linux actually has a pretty decent track record and the lack of a 2.7 development kernel wouldn't of stopped this latest flaw because it was something that existed since before 2.4 (were there always has been a development kernel).
Linux has it's security issues, always has. OpenBSD is what you use when you want something deadly secure, but it's 10x better then anything coming out of the windows world.
That's why people say that "Linux is more secure", not "Linux is the most secure OS ever made and will never have any security issues whatsoever"
This GSecurity has provided a usefull service in reporting bugs, but this isn't the first time that he has tried to drum up controversy. First time was threatening to take gsecurity down because lack of support, then the SELinux crap, and now that Linus doesn't respond to crappily labeled e-mails.
Linus gets LOTS of e-mail. It's just something that got lost in the shuffle. There are people that are incharge of this sort of thing and gsecurity should of contacted them in order to get the issue resolved quickly.
It would be like emailing billg@microsoft.com to report a bug in Windows.
Before this there was a spat over Linus disabling the ability for people to access the scsi stuff thru setuid.
This disabled the ability to burn cds as a user using certain programs.
This was done for security reasons and people Bitched and moaned how Linus +friends cared to much about security and didn't give a shit that linux would loose users because now they have to use sudo to burn cds.
Basicly.
It's blowing a problem out of porportions.
And who are the best people in the world at keeping information secure?
Security through obscurity is the first layer, nothing more, but nothing less either. If you open everything up, you have removed a layer of security. You need to be getting more than compensating advantages in your remaining layers as a result, or it wasn't a smart move. Time will tell which of these is really true of the OSS community's approach.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
>Hi all,i b.txt ?
e l&m=110 514006004261&w=2
l &m=110 512844202355&w=2
;)
>Is there a patch to uselib() bug ->
>> http://www.isec.pl/vulnerabilities/isec-0021-usel
Date: Sun, 09 Jan 2005 17:28:35 +0100
From: Henrik Persson
To: Breno Silva Pinto
Cc: linux-kernel@vger.kernel.org
Subject: Re: patch to uselib()
It's patched in 2.4.29-rc1 and 2.6.10-ac6. A patch for 2.4 can also be found here:
http://marc.theaimsgroup.com/?l=linux-kern
and for 2.6:
http://marc.theaimsgroup.com/?l=linux-kerne
Browsing the archives usually gives you alot of answers, you know.
----------------
Cut-n-pasted from the LKML
C|N>K
There are many sorts of security. The security you are talking is about
- Being secure from kiddies, non-professionals
- Being secure from known vulnerabilities
The point in Grsecurity is to get full or at least constraining fixes for
- The previously unknown userland problems
- What professionals could do to you
In such both Windows and upstream Linux are not REALLY secure. They are if administered properly secure against the lowest levels of threats. There is better...
The worst politics of all is the Linus'es stance against driver ABIs. That's one reason behind the device support is still slumbering.
With the ABIs the vendors would not have to create more than one version of their drivers for one architecture. Now they must practically either GPL the stuff or create versions for every kernel version.
It's not a big task but that's not how vendors see it. ABIs would bring us a lot of hardware support and robustness we are needing. The fears (impact to the agility of kernel development etc) could be handled. That's why there are the project teams..
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
No, SELinux is just a piece of crap. Read the LSM/Selinux pages at RSBAC's site. It is lacking way too much hooks and the whole architecture is plain wrong. Besides NT doesn't let the drivers and such into kernelland. It helps the kernel vastly in governing what is happening.
I emailed Bill Gates to say that with a tunnelling electron microscope someone could adjust the logic in the CPU and DOS WindowsXP, and he hasn't answered me. Pout!
_O_
.|< The named which can be named is not the true named
You should note that most of us learnt the last do_brk() vulnerability from Slashdot. And kernel hackers just fixes big security holes like this and silently updates Changelog. Imho there should be advisories from kernel.org .Its not a valid excuse to wait for distribution's advisories. All other projects publish their own advisories and kernel is not really different from those.
Never learn by your mistakes, if you do you may never dare to try again
The parent was modded up to "Score:3, Insightful" for claiming that the popularity of Linux is new (it is "known" in his words), implying that this now makes Linux a target for security attacks.
But, in fact, the parent poster is ignorant of the facts.
Linux runs 30% or more of all websites. This has been the case since at least March of 2001 -- almost four years ago!
This means that for the last four years, there have been almost as many Linux webservers (30%) as Windows webservers (50%) on the Internet.
And yet almost all of the major virus and worm outbreaks have occurred against Windows platforms.
And let's not forget that there are over twice as many Apache servers as IIS servers, yet only IIS has been compromised on a regular basis.
Face it -- Microsoft's record on security is abysmal. And it can't be explained by popularity.
It is a set of patches. Just because they are distributed so you can apply it with one command doesn't change the fact that its a mish mash of patches from various people with varying quality/correctness.
And the random made up slander of openbsd doesn't exactly add to your credibility. Its a highly effective solution, which is in full use. Grsec breaks too much stuff and is therefore in use by nobody anywhere. Feel free to point out the cvs commit message that fixes your magical constant canary problem.
security people seem to have failed to notice a major transition in the industry: single-person desktops and no-user-shell servers have come to dominate. yes, there are still a few places where login accounts are given to a potentially hostile userbase. those sites do need to worry about local-root exploits, and even, to some extent, local-DOS exploits.
but people who focus their lives on security seem to have a clear tendency to lose track of the actual importance of these problems. just look at the whiny grsecurity message - what the FUCK is a "moxa" and why should I give a damn about it?
all security is not equally important, just as perfect security makes any system completely useless. people who live and breathe this stuff need to realize that they are extreme outliers, often so far out that they're not even part of the community they claim to be protecting.
2 things that I find funny about this (without RTFA):
- Windows ain't the only one that's not secure (and neither is IE, *cough* Mozilla *cough*)
- And no one cuts up Linux because of it's insecurites (if so, they'll be modded as a Troll or Flamebait).
If I'm running 2.6.8, and a new bug comes out, I'm forced to either A) upgrade to the most recent 'stable' kernel, introducing new features about which I know nothing, and which themselves may be security problems, or B) can hope that someone will backport the security fixes to the kernel version I'm running. I don't know enough about kernel development to patch it myself, but I can no longer just drop in the most recent stable kernel and expect it to work unchanged.
A sysadmin's most precious commodities are time and attention. With this new development model, suddenly I am forced to either pay a great deal of attention (and a great deal of time) to each and every version of the Linux kernel, or I need to pay a vendor to do it for me.
The kernel developers are, in my opinion, shirking their single most fundamental duty... to ship a stable, secure product. Suddenly, because it's easier for them, they have abrogated the fundamental contract, that they will write great software. (buggy, insecure software is not great, no matter how many features it has.) They just wave their hands vaguely in the air and say tha the distributions will take care of those problems.
Guys, it's not gonna happen. The way you get stable software is by not adding features. In your case, by branching off to 2.7, and letting us beat the unchanging (except for bugfixes) 2.6 tree to death. If you keep adding features, you keep adding bugs. That's how it works.
You had this NAILED for years and years... there is a huge community that has built up around the fundamental social contract that even numbered kernels are as stable and secure as you know how to make them, and the odd-numbered branches are the home for new code and new features. Changing that contract simply becuase it makes your lives mildly easier is a hugely destructive idea. You may save yourselves a bit of work, but you create an enormous amount of it for everyone else.
Ted T'So said:
In other words, he thinks it's perfectly fine if only 1 out of 3 'stable' kernels are actually stable.This is not acceptable.
You can bet that Bill has a big grin on his face about this one. If I want new features with my security fixes, I might as well choose Microsoft and their service packs.
Heck, they even have a QA team!
> This article is CRAP. It's a troll pure and simple and a way to stir up bullshit.
Yes. And have you noticed how many of these trolling anti-Linux FUD articles seem to be posted by timothy?
It appears as though this issue has been a common problem since the later 2.4 and more particuarly with the 2.6 patch times. With an increased desire to have a quality check with "signing off" patches etc it seems as though the time to respond on open source patching is very long.
In the past patches for vulerabilities have been relased almost instantly / at the same time as the wide spread knowledge of the bugs are announced.
That was one of the biggest draw cards for me to open source. Now I have moved away from Linux to *bsd software in order to ensure minimum patch release times for security reasons.
And I'll aggree with you about that mindset and hipocrisy too. That's what ticks me off too. The doublespeak and double standards, where the same thing is a hanging offense if it's in Windows, but normal and doesn't even really need a fix if it's in Linux.
But just to add a couple of minor details:
A) I'd argue that Microsoft didn't start secure and slowly get down the drain. They started by ignoring security outright.
E.g., if I remember right, for example, the file server security in NT 3.5 and the pre-SP1 NT 4.0 was entirely in the client. Yes, the client was supposed to check for itself if it's allowed to access a file, and if not, back down. However, if the client was not that nice, it could go ahead and request the file anyway... and get it.
E.g., MS Bob, in the name of userfriendliness, asked you to change the password if you miss-typed it 3 times. No, not if you successfully logged in after mis-typing it 3 times. That's it. Three failed attempts in a row, and you can set a new password.
Etc. I could go on for ever, but these are ludicrious enough to illustrate the point: MS didn't start making a compromise here and there. It outright ignored security until it bit them in the ass.
B) But to be fair, so did everyone else, and some still do.
E.g., it's not a case of Linux eventually getting as insecure as MS Windows. Linux already _was_ less secure than Windows, oh, say around the time Windows 2000 was released.
Sorry, I'll probably annoy the pinguinistas, but taking a Linux system as root online back then, meant you had a script kiddie logged in withing hours at most. _And_ most distros made the same MS mistake of installing and starting every possible service by default, and no firewall either. I know my SuSE systems got Apache, MySQL and God knows what else if I didn't uncheck those at install time.
It took some code reviews paid for by RedHat and the like, before Linux was anywhere _near_ secure.
C) Basically, sad to say, much as nerds balk at "clueless lusers" running without a firewall or MS for having exploitable bugs, most are just as clueless themselves when it comes to writing secure code.
And I don't mean just bugs or lack of communication ("oh, I thought YOUR function checked the buffer length already.") I mean outright lacking even the most elementary clue about secure design, and not giving even the bare minimum thought to what could happen.
Just as end lusers think they're safe without a firewall because they don't directly see the script kiddie breaking in, coders tend to ignore the unseen threats just as well. Mentalities like "oh, surely noone will edit the id in the URL and make themselves superuser" are the norm, not the exception. Or at most they'll repeat mantras they've heard before, without even understanding what those mantras mean.
It's not even a MS vs Linux thing. Windows, Linux, Solaris, whatever. Unless you have some security minded people trying hard to find a bug or way in, you end up with a catastrophe. The average coder's work is a heap of security holes waiting to be exploited.
A polar bear is a cartesian bear after a coordinate transform.
I'm not Mich Le Fay from Arundel in Sussex, but I know her somewhat intimately. Oh, and I puked over Mark Chadwick {the Mark Chadwick} while accusing him of eating m**t. But I was off my box.
Who else here is for creating a "uk.slashdot.org" section? Or even a "slashdot.org.uk" section?
Je fume. Tu fumes. Nous fûmes!
NT installs drivers into kernel, they can do whatever they want. That's one of my gripes about NT (and Linux) - there needs to be 3 levels, not 2. User/Driver/Kernel allows better error handling and recovery over User/Kernel.
If you're running a server, then you should rip out everything you don't need.
... but why bother if there wasn't a problem on the test box?
If you aren't running it, you don't need to patch it.
Which only leaves the security/bug fixes for what you do run. Do I worry about a "reboot test" after I upgrade perl? No. Why should I?
On my Debian systems, the only patch that requires a reboot is a kernel upgrade.
A "reboot test" might still be a good idea, in the 0.0001% of non-kernel situations where it would show a software problem
I'd rather not reboot my boxes because that seems to be when the hardware fails. Much as most light bulbs that blow seem to blow when you turn them on.
What the standard Unix (and Windows) model is discretionary access control.
What this means is that your access is based on your UID and GUID. If you have permission or not to access a file.
You are confusing Mandatory Access Control (which Windows and SELinux both have), and Rôle Based Access Control (which SELinux has). Mandatory Access Control simply means that objects have access control associated with which is defined by system policies, rather than by users. In Windows NT, members of the Administrator group can set MAC policies. In FreeBSD (and TrustedBSD), they can be set by the root user.
Rôle base access control means that permissions can be assigned to users in certain rôles. This allows users to have different permissions depending on their current mode of operation. This is what you explained in your post.
Fine grained access control at a kernel level is always preferable to coarse-grained access control (with the possible exception of performance-critical systems), since it can always be wrapped by coarse-grained interfaces at a higher level if simplicity is required.
I am TheRaven on Soylent News
If it is an easy fix and it doesn't affect other systems, then I can't see why it wouldn't be fixed.
From the LWN article, those look like pretty simple fixes, which only leaves the impact on other parts of the systems.
Yep, there might be lots of easier ways to take out a Linux box, but when someone else has already done the difficult work for you (finding and clearly identifying the issues), why not make a patch and test it?
You are confusing upstream kernel development with a supported stable end-user product. If you want a supported stable kernel, you can get it from your distro of choice, but please don't ask me and the thousands of others working on the kernel in our spare time for free to scratch anyone's itch but our own.
As for the even/odd numbering - neither 2.2 nor 2.4 got stable untill rather late in the series. There was recently a thread on lkml about forking 2.7 in which wli presented a solid case for why changing numbers doesn't magically improve quality or stability of code.
However, there are platforms on which Linux will run that do not have three rings to run in. The ones that do, often don't show the same separation so picking the right ring to run in is difficult.
Ergo, only two rings are used.
I experience the same feeling with S-ATA. There is an obvious issue with the S-ATA driver, which leads to data corruption with many drives and controlers (especially the Silicon Image 3112). But rather to stick on this problem until it's resolved, developers seems to continue in the "it's the hardware's fault" kind of statements. Nevertheless, one of my colleague, a NetBSD expert, tells me that this data corruption with S-ATA does not appear on NetBSD. And when I look in NetBSD mailing lists, I found nothing about data corruption on NetBSD. So what's next for Linux?
RIP Slashdot. I used to love you. dead account - but slashdot wont let me delete it.
to fix these ones too:0 05-01- 06/2005-01-12/0
http://securityfocus.com/archive/1/386374/2
- How much have you paid Linus, Alan Cox, Andrew Morton, et. al., directly?
- Did they make any promises to you about the reliability or stability of the kernel?
- Take a look at the GPL, particularly that explicit disclaimer of all warranties. Did Linus send you a certified mail letter in which he waived that clause for you?
- Did you get certified mail waivers of that clause from all the other kernel developers?
- I'm sorry, I didn't hear you the first time--how much did you pay Linus, himself, directly?
- Does Linus give you binaries only of the kernel, and thus make you dependent on him?
- Does Linus give you source code, and thus give you the option of auditing code yourself?
- Have you done your own code audit?
Just a few simple questions, really. Because before you go about saying that Linus, or any other kernel developer, or any other Free Software developer, has a duty to you, I'd like for you to know what duty means.Duty means a debt is owed.
So--as a result of the community giving you, at no cost, generous license to literally hundreds of millions of dollars of intellectual property... they owe you something? Because they gave you a gift?
I don't know where this false sense of entitlement within the community arose, but I really hope it goes away soon. You aren't entitled to anything. You aren't entitled to the sweat of my brow, the labor of my hands, the product of my mind--but when I release something under a free license, I give you those things. I say "here, have something; I made this. I want to give it to you."
And what are you doing?
Looking the gift horse in the mouth.
OK, everyone, take a deep breath, calm down, and say it with me: "Linux is not dead. This is not the death of Linux"
It's going to take more than a couple of articles to bring about the demise of Linux. There are definite reponsibilities and issues that need to be addressed in Linux, as there always will be in any project of any size. Let's all just support our OS, and make sure that we make it known that it's important to us that these issues are addressed. A few negative articles are not going to kill OSS, and Linux has a way of weathering problems. Relax, and support the developers so they can get on with fixing the problem(s).
-Jay
I haven't heard anything about kernel exploits in Windows for a while
Given that IE is tied so closely to the Windows kernel ("integrated"), pretty much every IE exploit makes Windows' kernel vulnerable.
so why don't they release their own kernels with these critical patches applied? If it is as important as they say, people will use them. I used the AC series kernels on some of my PPC boxes for some time to get a few relatvely minor features that I could have lived without. I'd definitely consider using a demonstrably more secure kernel. A lot of people would agree with me, and I'm sure some distros would pick up the patches so they would get into widespread release for the people who don't compile their own kernels.
They disagree with Linus priorities. And they're probably right. Nobody is right 100% of the time. Isn't that whole point of open source?
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
But it is important to understand that one can't just pick up the "Bat Phone" and have Linus or Andrew on the other end. Those days are gone.
- sbergman27, [http://lwn.net/Articles/118251/]
These PaX "security experts" whine and complain like script kiddies. No wonder.
I think the real point is made that distro volunteers and employees are more likely to implement a patchset for security reasons. Also, this is in the best intrests of the community, by limiting the amount of direct communication forced upon our Overlord and Savior, and also because most of us are using a distro. If a distro has a security patchset and the vanilla kernel is left with holes, surely someone will take notice and go through the proper channels, doing all that hard contacting work for you.
SIGERR: laziness exceeds quota
Most Linux distributions provide automatic updates. SuSE offers the feature to automaticly download and install security updates at a fixed time each day. On other distro's such a thing can be done with cron and a simple shell script. Here there is a big advantage that you don't need a reboot to update your applications. Only a kernel upgrade NEEDS a reboot.
extern warranty;
main()
{
(void)warranty;
}
Some of these bugs, according to the article, have been around for ages, so the new dev model isn't to blame. But Linus and Andrew didn't even respond to these critical vulnerabilities....
Just go ahead and create a 2.7 branch, and then assign a maintainer to the 2.6 branch and let it stabilize. I don't see any reason for not doing this.
Buses stop at a bus station
Trains stop at a train station
On my desk there's a workstation....
You're absolutely correct in what you say.
:)
2.6 is currently a developer's dream and an administrator's nightmare.
It is a smoking pile of bleeding edge patchwork. It can do everything in double time and brew coffee concurrently, but it cannot serve a file reliably (for example - as outrageous as it sounds that last part is actually the truth).
The absolute major top-1 problem is the huge flux of patches; 4000 changesets between 2.6.9 and 2.6.10... One kernel fixes maybe 100 bugs and introduces the same number along with a heap of new features while it deprecates a few old interfaces.
If 2.6.5 is the latest stable 2.6 kernel for one particular use (which I know for a fact that it is for some uses), you're stuck with a local root vulnerability because most likely 2.6.11 which may have a fix for this one bug will crash with that workload (as 2.6.6-2.6.10 did).
And the examples I'm pulling out here (file serving and many unstable kernels in a row) are not unreported problems. They are not new problems. They have been worked on, partially fixed, etc. etc. but with the development model as it is, you just cannot expect fixes to have a very long life-time.
It is very very sad. But I think it will change as someone realizes how bad the situation is. Probably half a year or so from now, when people start getting really annoyed that you *still* cannot route, web-serve or file-serve in any significant volume with Linux 2.6.
Until then, it's Linux 2.4 and Solaris - both slow compared to 2.6 maybe, but at least they stay up over night
I understand why it happens, and that's the same reason that NT class systems are only 2.
On the systems that don't support it, driver could be merged with kernel and that gives what you have now. It would be only virtual levels (like IRQL on NT systems) in that case.
Dragonfly already sucks less than Linux, too.
that does not understand the following differences:
- Free vs. Proprietary
- Open vs. Closed
- Community based vs. suck from whole world
sgis ddo ekil t'nod i
Take the following encryption algorithm:
1. Encrypt with published, well known crypto
2. XOR
Decryption:
1. XOR
2. Decrypt with published, well known crypto
What do you have? A bunch of people wondering WTF is going on because it doesn't follow "standard" encryption methods. In a worst-case scenario, you're no worse off than before. That is proper security through obscurity. If obscurity is the security, well then in the worst-case scenario you have none. Take it as the bonus it is (hey, many OSS apps don't like to annonuce they're running version x.y.z build 1337 either).
Kjella
Live today, because you never know what tomorrow brings
Ha! Ha!
You know it....
to help fix windows......
every day http://en.wikipedia.org/wiki/Special:Random
I've worked on projects where inclusion of features is more important than design. That isn't to say design was completely ignored but the team lead was definately more interested in having all of the agreed features in the product before a certain date.
The Linux Kernel is much the same way. The people driving "head" are more interested in getting stuff into the kernel than it being secured. This isn't automatically bad. Now whether or not this bites them in the ass later is a different disucssion. Getting things into the kernel for others to look at is how the code matures in the Linux kernel. Having a developer sit on a piece of code because he isn't sure it is 99.9997% correct does no one any good.
Thankfully, there are others who aren't sitting at the "head" of the source correcting things as they go along. This is one of the strengths of the Open Source model of development. The person who originally wrote the feature doesn't have to be involved at all in debugging or fixing the feature. Ultimately, if you don't like the code that the LKD team is "blessing" then you can always exclude it. These are wonderful things about the Open Source Development model. You aren't beholdened to any vendor or developer.
I see this problem as neither here nor there. It would be awesome if every bit of code that went into the kernel was super robust but that is a pipedream because everyone has access to the kernel source and can change it at whim. And because of the way OSS works, you don't need to behave like closed vendors in that it has to be 100% correct or it doesn't get released.
It would be nice if the source "head" was a bit more "cooked" but that would involve changing their development pattern which I have no illusions could be rough. In the future the kernel team might change their focus from "adding things" to "securing things" but that is future speculation.
ps. For the historical perspective, isn't this "security" vs "features" the thing that caused the schism in BSD?
Unfortunately, these folks are FUD-spewers. Worse, they're FUDing to make names for themselves. Ah, well.
Yes, that's right, attack the guy for not following protocol.
You are all hoping he gets a job at Microsoft? The chief maintainers are to blame and full of crap. That's you Linus. The drive and energy to make a kick ass little Minux platform has turn into a buerocratic and letargic malasis of incompetence.
One has to remember that the linux exploits are much harder to actually take advantage of than the windows exploits. Linux security holes, although serious, one must first gain access to the physical terminal, then have the time needed to actually use the exploit, as opposed to writing a webpage or powerpoint file that someone merely has to open to become a zombie. Linux needs fixing at times, however the security holes are in comparison, not as serious as those Windows users encounter almost daily.
These kinds of security problems leave the door open for someone else to determine the future of Linux.
You've just handed Microsoft a huge Public Relations goodie that they can beat to death as definitive proof that Linux fails to promptly fix security bugs. And now it can be extended to a universal problem with all Open Source Software. And now everything is back to being Microsoft or Death.
Sure I exaggerate, but don't you think others will try to do the same?
I don't know if the guy from GRsecurity can be classified as an asshole or not. I have found a lot of people who do post security patches tend to be very arrogant buttholes, but I've never met the guy. So there's some room here to determine just who's the bitch now.
But if these are real security holes and have been around this long, we've lost a tremendous edge on what advantage Linux has been able to claim in the past. The door is open.
My guess is that the best candidate is going to be OpenBSD or one of the other BSD's. It wouldn't surprise me. As something goes mainstream, it's political fat starts to overwhelm it's technical agility. To prevent this you have to fight very hard. Feature Creep is one name for this phenomenon. It could be argued that Linux has become focused on providing new and interesting features over old and boring performance expectations. This is to be expected as more people start pressing for wish list features and begin to ignore the original problems of security and stability. If you've ever wanted to see this in action - watch Debian. People are bitching now that Debian Unstable should be the defacto distribution version today and just wave their hands in dismissal when someone complains about packages breaking in Unstable. Apparently they too have accepted inherent stability problems in lieu of stability.
This is dangerous for all organizations who do this. As the foundation is ignored, you will start to permit some really illusive bugs into the system.
Similar extensions can be found when comparing Debian's Stable to Mandrake et al. Debian tends to be much slower on new developments, but they have a very good track record for basic performance. Similarly OpenBSD has it's software/hardware limitations, but it's definitely secure.
And any arguements regarding the security of a system as installed from the distro-provider is pretty much BS. They have each decided to install towards a target audience. To expect to be able to execute an installation on an unprotected machine and have no security holes appear at any point in the process is more trouble than it's worth. The price of doing an installation behind a firewall is far lower and a waste of development resources.
...can be 0wn3d if the OS has a major hole. For example, just imagine a buffer overflow in inetd. Tell me how you have a prayer of surviving that on a standard UNIX system.
Without competent systems programmers, competent admins are superfluous.
Comment removed based on user account deletion
While I don't doubt that OpenBSD concentrate a lot on security, their claim of "Only one remote hole in the default install, in more than 8 years!" is due to there being no services enabled by default at install time, rather than the quality of the kernel.
I'll probably be modded down for this...
Well I mode pretty much anyone that says 'Troll' anywhere in their post as Troll. Anyone who says 'This is probably offtopic' get's modded immediately as offtopic. And anyone who says 'This isn't flamebait, but...' gets immediately modded as flamebait.
I'm sure others do the same. So now you know why. Just stick to the topic, say something sensible/ useful/ funny, and stop trying to complain about the modding!
I'd better post this anonymously to save getting a Troll myself!
So taking on a big project to make Linux secure and stable will "undermine efforts to assure people that Linux is secure and stable?"
________________________________________________
suwain_2
If you look into the matter, you'll find that the bug was pointed out, the kernel developers said (paraphrased), "you're right, there is a problem there, and it's part of a larger issue that we're addressing [so fixing it will not fix the main problem]... we'll get someone on this particular issue. Thanks."
The person raising the stink simply thinks that his bug should take a much higher priority than he thinks it got. He wants it fixed immediately, whereas the kernel maintainers prioritize issues by risk (probability of occurance * cost of occurance). In this case, cost of occurance is constant among this class of issue, and probability is judged to be markedly lower than others in the same class; it's a lower risk and thus lower priority.
Somebody is just a little too sensitive.
If it is revealed that a plaintext was encrypted using AES, a known (ie. not obscure) cipher, it is still not possible to reveal the plaintext. In other words, AES does not rely on obscurity, it relies on other mechanisms.
Like obscurity ... of the key, perhaps?
This *is* the death of Linux. Not the article but the problem it describes. I think it's a symptom, but a pretty major one, of a deeper problem. The developers don't care about the users any more. The kernel devs have said that end users should not be using vanilla 2.6.x. This is the death of Linux as we know it, and ultimately will be the death of linux in any form. Right now I'm giving it about 20 minor versions before I fork linux or switch to one of the BSDs. And I'm not the only one feeling like this.
I am trolling
Reading through this thread is somewhat amusing.
One negative erases One-thousand positives.
A Linux Zealot looks for the bad things about Windows.
A Windows Zealot looks for the bad things in Linux.
My Platoon Sgt. once said: The people coming to this ceremony didn't come to see how good we are at drill, they came here to see one of you fall flat on your face or drop a rifle.
Fastduke
Actually, it's a pointless comparison because Linux is just a kernel while Windows is a kernel (and a very good one), a HAL, a GUI subsystem, various system libraries, various applications that use them, etc.
I will say, however, that taking the average monthly vulnerabilities for any given Linux distro + kernel and comparing to Windows yields surprising results. About the same ore more vulnerabilities exist in Linux distro apps than on a typical Windows installation. See http://www.linuxsecurity.com/advisories and compare for yourself.
The point is that we're all humans making software, so we're all prone to the same mistakes. Both systems are inherently insecure to the same degree, but Windows is used so much more that holes are widely reported.
You complain when trolls pop up and say "Ha ha!" to Linux vulnerabilities, but look at a Windows vulnerability article on Slashdot sometime and you'll find 90% of the discussion follows those very lines. Some people genuinely enjoy Microsoft technology and use it daily, so it's a little healthy schadenfreude when it's pointed out that, hey, Linux isn't the 100% flawless Golden Warrior it's made out to be. It's a dangerous mindset to have anyway--it makes you overlook things. Which seems to be the case in this LWN article.
So's my shop-vac, if you don't connect it to the network.
If it were done when 'tis done, then t'were well it were done quickly... MacBeth
actually, what you do is get two servers, update one, test it for a while to make sure there are no bugs in the patch, then update the other. If you really need uptime, you have a third system that is your "guinea pig" system for testing fixes and patches on.
Fly me to the moon Let me sing among those stars Let me see what spring is like On jupiter and mars
Personally, I switched from grsecurity to SELinux shortly after the incident linked above. While Brad may in fact be quite skilled, I've simply lost trust in him and, by extension, his project.
not plane, nor bird, nor even frog...
I read it best when someone said Linux is written for leverage to compete with Windows and other operating systems, while BSD is geared toward stability of the features already in it. That's why you get Linux supporting ten different filesystems while BSD is focused on getting one working right.
Neither is "better" because it's subjective, but I do think Linux needs someone in position of Security Officer like the BSDs do. I think 2.6 has been a rush to include beta code and implement new features in a production kernel, which has had disastrous effects. My switch from FreeBSD 4.x to 5.x has, however, been nothing but smooth so far.
What Linux really needs is one person assigned to all security related matters, any exploit is sent to him, and his job is to coorindate with Linus, the person responsible for the module, the organization/person that brought up the issue, and the bugtrack sites...
linux 2.0.38 is more stable than NT. In the time of winNT, the alternative was 2.0.38.
Want more features, better SMP?
Get winXP or linux 2.6.0
Microsoft is one of the most successful companies in the software world by any sensible measure. Its software helps more people do more jobs than just about any other software in the world by any sensible measure. In the grand scheme of things, how is that "in trouble"?
Sure, you can bitch about security flaws, and the world would be a better place if all MS software today were 100% secure and nothing else changed. But the real question is whether the world would be a better place today if all MS software were 100% secure but only usable by highly-trained, technically competent, experienced users. From the almost complete lack of penetration of Linux and such onto the world's desktops, I think the answer to that one is pretty self-evident.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
In a historical account of computing's funniest moments, the Windows security certification should be in the top 10.
-- Microsoft is the most expensive commodity operating system and office suite vendor in the marketplace.
Given that IE is tied so closely to the Windows kernel
That's not given. It's tied to the shell, not the kernel.
Nobody gives a fuck about MS Bob itself, but it's a glaring example of the fact that MS didn't give a shit about security to start with. It extends to all their products as well.
Want non-Bob examples?
How about the NT file security I mentioned in the same post? That _is_ a corporate product, and was pushed as a corporate product. That design is so cretinous, idiotic, lobotomized and clueless, that there aren't enough words to that effect in the dictionary to express it.
How about the password protection for MS Office documents? It could be "cracked" in milliseconds flat. In fact, at least one company selling programs that allowed people to unprotect their files went on record to say that they built a delay in their program to look like there was _some_ effort involved. And yes, those were and still are pitched at businesses, not at clueless home users. (See the "Small Business Edition" variant thereof.)
How about Hotmail? That wasn't a decade ago, and a you could access anyone else's mail on it without even much effort involved.
How about the endless stream of buffer overflow exploits in _all_ MS products, because MS cared more about benchmarks than about security? Yay, their products were a few milliseconds faster, at the cost of being insecure.
Etc, etc, etc. As I've said, the list really is a mile long.
So you can get off the high horse, you know. It's not about Bob itself. It's just a clear cut case of MS not giving a shit about security in _any_ of their products until very recently.
A polar bear is a cartesian bear after a coordinate transform.
They seem unfriendly, sometimes even aggresive, about providing information. Some years ago that wasn't the case, first generation of prism54 cards works fine, second one doesn't, because the current builder of the chipset ignores the request for papers. It is the same situation in the BSD field, btw, not a Linux only problem. It is a stance about the GPL, an indirect hint about GPL and propietary binaries. Other interesting example is with atheros cards in OpenBSD, they recreated the driver because even if the use BSD license, they don't want binary crap in their official kernels.
that all this stuff comes out after somebody did a research study demonstrating that Linux and OSS in general have better quality control than commercial systems?
I smell a Microsoft-paid rat...or some bozo stirring up some PR for himself.
I personally would have some suspicions that the LKM system might have security flaws just on the face of the concept - but then again, I'm not coding the stuff. Have there been any exploits based on this stuff? Any discussion of same by the underground hackers?
If not, it's on a par with the rest of the security flaws discovered in Linux and OSS on an almost daily basis - they're there, they'll get fixed when somebody has the time.
The bottom line is: when will people stop coding without checking their code for potential security issues?
Complaining about patches is not going to solve that core problem.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Typical bank configuration (this is for a mission critical application, but not one that touches money):
Production Master, Production Backup
On-site DR Master, On-site DR Backup
Off-site DR Master, Off-site DR backup
Quality Assurance Master, Quality Assurance Backup
Development Master, Development Backup
Sometimes they would have 2 or 3 more. We licensed specifically for this.
Even with this, it still was 99.7 or so uptime -- there are unforseen events that redundancy alone cannot compensate for.
If your code is acting bloated, and is running rather slow, it's likely and predicted that some loops you will unroll.
Ooh, burn! OpenSSH is one of the greatest innovations in the entire software world. Way to tell it like it is. :)
Wasn't the NT Kernel developed by one of the world's most preeminent security experts? I think it was the same guy who developed Vax.
http://shit.slashdot.org/article.pl?sid=05/01/10/0 35225
as of late..
when I upgraded to 2.4.27.. I couldnt use cupsd
I upgraded to 2.4.28 to fix this.. cups worked.. but then.. my stability started sucking major ass.
took a recompile with removing some options to get my system stable (so it wouldnt kernel panic when something didnt work right instead of just outputting an error)
It hasnt done this before. I've also been having module dependency issues where I havent had them normally, it's beginning to suck. I think it's because the devs think "hey, we're pretty popular now.. now we dont have to give less a shit about what we code." or something.
I generally think they need to redo their process.
they need to prep a release.. then hand it over to a security team like grsecurity to scan and hack the hell out of it.. and then explain what needs fixing, etc.
I'm glad RSBAC gets linked as it is a quite good security solution, but.. where did anyone from RSBAC said the same things as GrSec and Brad ??
Sources ? None.
Did they say anything ? I don't think so
All there is, is that RSBAC doesn't uses LSM for the same reasons as GrSec, but LSM isn't what this article is about...
What you do is that you have three stages of deployment:
-One of initial testing in systems that you can whipe-out as needed. There you asses glaring initial problems.
-The second stage is a testing system (or systems, since if possbile you want to test contingency situations) with identical configuration to your production machines (which are wholly redundant btw).
-The last stage is the production stage. Depending on circumstances you can update both machines (or all, some services are provided by multiple redundant machines) or one at the time.
In most circumstances I have encountered professionally you normally update the full lot of machines providing a given service or set of services since you don't want unpredictable inconsistencies due to different version of your software running at the same time.
I you are a piss poor or small company go and get el cheapo machines, do your intial testing, whipe out your testing machine and build a Production replica and do your pro-production test there.
IANAL but write like a drunk one.
One thing in userland that could really use looking at is PAM. Its design is utterly archaic and fraught with gotchas, while the overall idea remains obviously useful and popular. If PAM were more useful and secure, Linux systems would by extension be more useful and secure.
LRC, the best-read libertarian site on the web
this is sure to be the talk of the campus...
Get your torrents...
Everyone's making excuses for Linux, but a hole shows up in IE, and we're all supposed to switch to Firefox. Sounds like a lot of bullshit to me. Firefox probably has plenty of security holes, just like Linux.
Everyone here tells you to use Linux because it's so great, but then when you actually use it, and find problems, you say, what do you expect, you got it for free. Fine, I'll stick with windows.
He then used MS Bob as an example of a client that exposed this security flaw to the user. He was not criticizing MS Bob. He was criticizing the operating system.
And the problem was not a "hole" or "flaw" - it was a lack of actual security in a system that claimed to provide it.
I just noticed that Netcraft has this cyrillic character in front of it. This is most annoying since it now means Petcraft, whatever that means, grrr ...
I had a glass of wine which explains my lost inhibitions to mention that.
Stability is the problem. You may not have so many security problems to worry about updating to the latest 2.6.x, but if it crashes on you then it's no good to you.
This has been explained numerous times before, and quite nicely on lwn.net. Sadly you're not the only person who has missed it so I'll repeat it here.
... but I don't know any distro that wants you to upgrade kernels to different versions.
Using the kernel directly from kernel.org is (now) for hobbyists, not for people concerned about absolute stability. People concerned about stability should use the kernel from their distributor.
You say 2.6.5 was the last stable kernel. Personally I would have listed 2.6.10, and then 2.6.5 but that's irrelevant. Say you're running 2.6.5 and a vulnerability is discovered. You get an updated 2.6.5 from your distributor and the problem goes away. You do not get 2.6.11.
See how it works? From a distributor's perspective they now have more choice (should they base their distro off 2.6.5, 2.6.7, 2.6.10 or
Corrin
ATTENTION SLASHDOT ASSHOLE FROM LAST YEAR who bullshitted about Linux being so God-damned secure compared to "crappy" Windows. Eat shit and die! I told you if it were under assault even remotely as much as Windows, it would crack like your over-masturbated penis skin. Eat shit and die, you God-damned ignorant fuck!
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
I might have missed something here but I really don't understand all the fuzz about Linux nowadays. I thought I did back in the days when I had no first hand experience about any Unix variants. After I got familiar with GNU/Linux I realized how messy it was, having to be all the time ready to build a new kernel and reboot. Repeat for every single machine. Shame on the admin that dared to go for a vacation. Anyone who has heard about Murphy must realize those are the most likely days for a brand new vulnerability to be released.
As I sought for alternative I heard that BSDs can do the same things as GNU/Linuxes but without all the hassle. Since no media had ever mentioned a word about them, I though they were only for 24 / 7 hackers and not have the least bit of user-friendliness. But as soon as I heard that FreeBSD is easier to install than Gentoo I gave it a try.
Now, a year later, security hasn't been a reason for even a single boot for the server I set up. This is the first BSD server I've installed and I succeeded in first try. Meanwhile I hear all the time my fellow Linux admins having to suppress their normal use while compiling a new kernel and swearing a lot when having to do this at short notice, which does happen many times a year. Quite a lot of them have now switched to some BSD or are looking forward to switching.
For what I've heard from NetBSD admins, it's quite about the same as FreeBSD but without a menu-based installer and a better alternative for ports, pkgsrc. Luckily pkgsrc is a multi-platform software, being available as source but also as pre-built binaries for many BSD and GNU/Linux distros, including FreeBSD, Debian, OpenBSD, Slackware, Solaris, Darwin and so on.
Since I've found ports being sometimes a bit clumsy and I don't like its principle of "all software being updated as soon as possible" as much as pkgsrc's "software being updated after testing giving updates for many programs at a time", my next Unix variant of choice could be NetBSD or FreeBSD with pkgsrc installed instead of ports.
The big question is, what better do GNU/Linuxes really offer than BSDs? And which of these things could have already been achieved with a larger user and developer base, ie. if all the hype wasn't just about Linux?
Yes, I'm shocked that you assume people have no life and can maintain a set of patches for their kernel just like you do.
So if I understand your statement correctly you value your time highly and thus you want others to manage the paches for you.
But ...
IMO also Linus & co. value their own time highly and while they are commiting (part of) it to do you a favor (by providing you with software for free) you should be more gratefull.
If you do not want to manage those patches yourself, find someone else who will do that for you for free instead of Linus & co. and hope he will be more "responsive" to your needs.
Or hire somebody to do that - then you can give demands and orders to this Somebody.
hany
some users think they are secure because they download linux binaries from all over the internet instead of windows binaries.
Secure is not feeling cosy, because of a decision you made last year, secure is the feeling you get a bit at a time when you patched another flaw and closed another hole.
Sam
blog.sam.liddicott.com
And all those handy security features are just there. You don't have to do anything, or know anything to use them, its all just there for you already. Dismissing an OS because you are too ignorant to bother checking it out is pretty stupid.
udp 0 0 *.514 *.*
Just because it doesn't blindly accept and log messages from remote hosts doesn't mean its not listening.
Did Red Hat, SuSe, Debian et all come out with a patched kernel for this even when Linus didn't? If not.. why not, I wonder? If the kernel maintainers don't settle it, then the distribution maintainers ought to pick up the slack with patches.
Why was this article removed fromt the Slashdot main page. I was reading it and came back to look for it and I couldn't find it on the front page. I had to do a search.
Did Red Hat, SuSe, Debian et all come out with a patched kernel for this even when Linus didn't?
I do not know. And while I did not (yet) purchased Linux OS from neither of them, I do not care.
But being a paid customer of some Linux distributor, well I would care very much.
But we're back to what I alredy written about "for free" and "paid" in regard to patches.
Unfortunately the "manage it yourself, Linux is free" argument is in direct conflict with the "Linux is a great alternative to MS's and Sun's stuff," yet often these are two ideas that are in direct conflict with one another. When an operating system/kernel is being pushed as being enterprise quality as much as Linux has in the last few years, then it's not unreasonable to expect a certain level of quality from the maintainers, ...
Those two sets of arguments are IMO not in coflict because each one applies to different people (to two different not intersecting sets of people):
hany