Slashdot Mirror
Critical Security Hole in Linux Wi-Fi
thisispurefud writes "A flaw has been found in a major Linux Wi-Fi driver that can allow an attacker to run malicious code and take control of a laptop, even when it is not on a Wi-Fi network."
← Back to Stories (view on slashdot.org)
So here is a Linux driver problem, a patch is available, though not widely dispersed. The news here is that even in a largely neglected (though it shouldn't be) slice of the Open Source technology, specifically the deadly difficult wi-fi landscape, bugs are found and fixed right away (at least that's the gist of part of the article).
I'm more afraid of the neglected patches MSFT deems behind closed doors as not important enough to reveal to the public. How many zero-day exploits is MSFT discussing behind those closed doors right now, and what are they deciding about the fate of security to my machines?
I know I'm spinning here, but I don't find it much of a stretch to interpret this as good PR for the Linux world -- they find problems, they fix them.
(It doesn't seem to fix the other problem... I'm so sad and tired of trying to get laptops running linux reliably with wi-fi, I barely even bother messing with it anymore... If I want wireless linux on a laptop, I'm doing via Vmware's bridge. It shouldn't be like this.)
Already been patched, read TFA. My laptop has been patched for a while already, so have most people that actually pay attention to security posts.
Kindness is the language which the deaf can hear and the blind can see. - Mark Twain
What if you ifdown the wireless interface when not in use, can this prevent an exploit? It seems like it would unload the interface, but the kernel drivers would still be present. Does the kernel still monitor the wireless signals regardless of the ifup status?
I'm lucky my laptop has a switch on the side, when switched OFF wireless networking seems to be disabled. It seems to be a hardware disconnect for the antenna.
No it's not. Holy shit. Can't we even talk about security holes any more without it being FUD?
Thanks for the useless link. Anyone with a link to an actual advisory, LKML post, lwn, etc that might have some actual information in it?
A bug in Linux Wi-Fi doesn't matter. No one can get the fucking thing to work anyway.
It doesn't matter which operating system you use - they all contains buffer overflows. In a way, the consumer is to blame for this. BSD has been whiling with little to no market-share despite the fact it's free. Nobody it seems wants software that's secure out of the box and stays secure.
People want features and features are the enemy of security. So the status-quo continues even though we've known how to fix these issues for forty years.
Simon
Once again, Linux is safe from such a common attack because only seven people have successfully set up WPA. If this had been a Windows flaw, where every machine natively understands WPA and no work at the command prompt is needed, this would be disastrous.
This shows that Linux has been taking the right stand. By making the machine difficult to get running, it's unlikely that the machine will be able to connect to anything and become infected. Windows made the mistake of making the machine easy to use, allowing for simply network connection and ease of ownership (OWN3D).
Dekker Dreyer
DefectiveByDesign? Oh wait ... wrong OS.
I find it pretty interesting that security advisories over the last several months have been on primarily non-MS platforms. Mac, Linux, Solaris, etc. have had many more security advisories than MS Windows has had to endure, and Microsoft, while certainly not leading that pack for response time, also isn't dead last. I invite you all to check This site which is April's list of security advisories. I remember seeing a review on security a short time ago dealing with response time from various OS Vendors, and while MS wasn't leading the pack in anything, they weren't dead last in anything either.
I personally think Linux has a lot of potential, and is a pretty decent OS. But it's not ready for primetime just because of the average user. Windows has a tough enough time with security because of the user (let's face it, 90% of problems are the user's fault). Sure, exploits exist, but you have to DO something. Users don't download patches. Users click on anything with an OK box. Same applies here. How many "users" running Linux are even going to know about this vulnerability, let alone patch it. Ok, if they've auto-updates on, perhaps they will fetch it in their next batch? In which case, good, and kudos to the distro for making that part painless for the user.
I've always wondered about Linux's wifi security, but that was primarily because of having to wrap up the driver of most wifi cards. Just seemed to me like a door just begging to be broken down. Apparently I wasn't the only one.
Here is a reference to a more informative report.
It is pathetic how anything negative found against linux is turned into a flamefest against Microsoft. Vulnerabilities like this just show that the more usage an application has the more holes will be found.
The parent should be modded flamebait, Microsoft has nothing to do with this discussion and bringing it up with the intention of only criticizing it is obvious flamebait.
... this was fixed 4 months ago?
http://madwifi.org/changeset/1842
AFAIK, Atheros drivers aren't even in main kernel tree yet. For the last few years they have seemed to be in perpetual pre-release (0.xx) versions..
Humorous, but if someone wants a quick and painless route, check out Ubuntu. I running 7.04 beta on my laptop and wifi works well with my two very different APs in WPA(psk) mode. Installed and working, no tweaking, no manual compiling, no config file fiddling required. After running Linux for 12+ years I am quite happy with the state of Ubuntu.
Kindness is the language which the deaf can hear and the blind can see. - Mark Twain
It's interesting that people start talking about Microsoft right away in reaction to this hole, as if the only thing that matters here is how this flaw relates to Microsoft.
What I see is more the horrible state of software security. A security model that relies on all the writers of driver code in your computer to do their job right is a poor security model.
I know I'm spinning here, but I don't find it much of a stretch to interpret this as good PR for the Linux world -- they find problems, they fix them.
Great.. I guess I'd rather have the Linux World where there aren't any serious problems to begin with. The larger picture here is that computer security kinda sucks, not that Microsoft is better/worse at it than Linux is.
I'm so sad and tired of trying to get laptops running linux reliably with wi-fi, I barely even bother messing with it anymore
Huh. I've had very good luck recently with Ubuntu. The built in wifi in my laptop worked out of the box with Ubuntu, and two other cards I own worked as well.
It hasn't always been like this of course. A couple years ago WiFi support was extremely lacking.
AccountKiller
can a story about a critical security flaw in Linux be spun into an anti - Microsoft rant. Truly pathetic, and frankly, disgusting.
And I can't help but laugh at all these security problems with wireless. Since the technology came out it has been plagued with problems. I do work from... work (what a surprise) and from home. I'm not working in my car, nor while I'm walking. I enjoy the moments when I'm neither at work nor at home to do something else than being behind a (small) computer's screen.
I know that for some people having a lot is mandatory and I pitty them: have fun with all these security troubles, with your small screen and with your bad keyboard (insert here a reply about how your laptop's screen is better than a 23" displaying 1920x1200 and why your laptop's toy keyboard is better than a mechanical one... But you won't convince me).
The only laptops I'll ever buy (say when I need to do demos at customers etc.) need to have a physical switch to disable the WiFi or, at least, a BIOS option to turn it off.
WiFi is a bad joke. It is slow and insecure.
My home is now Gigabit ethernet (and, yup, the hard disk then tend to be the bottleneck) and 10 Ge is around the corner: faster than WiFi, safer than WiFi.
For me this article reads: "nothing to see here, move along". Good luck for all those who can't know for sure that they don't now have a LKM rootkit in their WiFi enabled laptops (I'd recommend scanning it with a Live CD or, better, check with the Tripwire results you took for sure when the laptop was in a known good state).
This bug is in the "madwifi" atheros driver, which is:
- dependent on a closed-source kernel module
- not in the upstream kernel
- not included by default in most distributions (e.g. Fedora/RHEL, SuSE, Debian).
It *is* in Ubuntu, but has been fixed in Edgy since February 1.So here's what the headline should have been:
Closed-Source Drivers Harder To Maintain, Less Secure
Good thing I'm using Windows.
Oh wait... nevermind.
w00t
Just modprobe -r ath-pci (or rmmod ath-pci).
The bug was in the open source portion of the driver, the closed-source HAL merely locks the range of radio frequencies and transmit powers allowed.
You are overlooking the way that most Joe Linux users get their updates - automatically. When security flaws are found and patches are delivered, you can guarantee that the people who package that software at Redhat, Ubuntu, Debian and other major distributions are aware of the update. Those security patches will be tested and rolled out into the main update repositories, probably within 24 hours to all the mirrors worldwide. The automatic update daemon on Joe User's modern Linux distro will be downloading the update within the next 24 hours or sooner. From security patch being announced to patched home computer in 48 hours in the worst-case scenario.
One of the nicest things about the distro's automatic updates is that this applies to ALL packages in the distro. I don't need to worry about Apache needing it's own updater. So no - the average Joe running Linux does not suffer - he gets informed about the update or even has it applied without manual intervention depending on the settings. Joe benefits and so does the community who recognise that fixing security flaws promptly is key.
Cheers,
Toby Haynes
Anything I post is strictly my own thoughts and doesn't necessarily have anything to do with the opinions of IBM.
but if he is a total git I bet he's got nothing on Theo de Raadt (OpenBSD projet lead). OpenBSD itself is a tank, however.
N4st0r, trixx0r h0bb1tz0rz! Th3y st0l3 0ur pr3c10uzz!
I shouldn't reply to your trolling comment, but you may be half serious. To get this important security patch, I only had to click a button called Install Updates. Yup, that took me away from important duties for quite some time.
Kindness is the language which the deaf can hear and the blind can see. - Mark Twain
oh wait...
Why is a tagging keyword 'haha'?
The madwifi howto is here. It seems that you can type, "lsmod | grep ath_pci" to find out if you are running the supposedly exploited module. My simple Etch system does not have this or wlanconfig tools by default, though those tools look very nice and I'm sure this little problem will be fixed quickly.
I have to agree with you about the uselessness of the PC World article. Besides not having any useful information, it's filled with FUD about free software wifi and confused "popularity argument" babble. In short it's more of a, "everyone else has these problems too, so Windoze away," pacifier than it is a news article.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
For further peace of mind, you can check this list of devices and "lspci" to see if further action is required.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
to "Only three remote holes in the default install, in more than 10 years!" given that they're into swiping Linux wi-fi code.
... this was fixed 4 months ago?It looks that way to me.
Unless this is a different vulnerability, Debian applied the fix over four months ago, two days after the patch was available, and eight days after the vulnerability was first reported
I saw the article and immediately started aptitude to get the fix, only to discover that I already got it, two weeks before Christmas. Nice.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
As parent states, the bug was in the open source part of the driver.
Of course, it would have been too much trouble for PC World to mention exactly which version of the madwifi driver was susceptible to this particular flaw. So much better to let people dig through changelogs which might address any number of past vulnerabilities.
I patch and update regularly, so I just wasted some time double checking on a flaw that had been fixed on my system a long time ago.
Is this flaw in madwifi or madwifi-ng? If it is in madwifi-ng, which release(s) is/are vulnerable?
And ye shall know the truth, and the truth shall make you free.
John 8:32(King James Version)
I should point out that the driver in question is MadWifi; it's mostly closed source.
Indeed, we've been here before. Stuff like this makes me feel better about the few inconveniences I've had to put up with to use Debian. It is difficult to find hardware that works, but that's nothing next to getting nailed like a Windoze user.
This is why it's important to distinguish between "Linux" and "Free Software". Sooner or later the message will get through over nonsense like the popularity argument and other FUD presented in PC World.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Get rid of wifi cards (PCI as well as PCMCIA), and instead implement the wifi 'client' side with an ETHERNET jack to connect .. well, anything that has or can have an ethernet port. Have a 'router' build in that is accesible and configurable via HTTP and/or telnet. Include a 'bridge mode' where, once configured, the router steps out of the way for cases where you are on a known network where you trust its security, or for 'public' untrusted networks you leave the build-in router enabled, isolating you from unexpected inbound connections.
Then, you dont need specific 'drivers' for wifi hardware (you just need to support ethernet)
Um, "Joe Linux" here, chiming in. I run Fedora, which was pre-installed on oddball hardware. If Fedora has automatic updates like Ubuntu, and if they just work, I sure as hell haven't heard about them. The Fedora repository is about 10% of the way to useful. 15%, when I'm feeling charitable. I'm on Core 3 because I haven't found a distro that can deal with my system, and, since I'm a biology geek not a computer geek, I have no idea what to do or the time to spend finding out.
It gets worse. I don't even know if I'm running a madwifi driver or not. I looked at the running processes, but there's nothing obvious there. I don't know if madwifi is called something else in the process list. I do know I have a Atheros chip.
The point I'm trying to make is more than just displaying ignorance. The point is that it may be hard for those of you who are close to the subject to realize just how opaque it is to those of us who aren't. If you're in the know, share their knowledge. It's kind of frustrating, from my perspective, to hear, "It's all automatic, and if it's not, you're just too hopeless to deal with."
(All that said, you're quite right that when updates are applied automatically and effectively, both the clueless and the clued benefit. That's why I'm getting my next system with Ubuntu on it!)
Open-source advocates, however, are still as insecure as ever. Apparently.
—Tickletaint (forced to post logged-out due to modbombing)
Why does the linux community always compare itself against windows, why are there not more discussions on how it compares against AIX, Solaris. etc? Is windows still that much of a threat? Windows is totally different from Linux, Unix, Mac. A comment is made about linux security and first post is comparing itself against window, what's up with that?
Anyway, all software is prone to issues, no matter what it is and to think otherwise is to completely ignore the fact that humans can and do make mistakes. Rather its how we deal with those mistakes, how fast is it corrected and how easy it is for people to update, use, maintain. People in general don't care if there's a problem with software X that deals with security problem X. All they care is that they can use it when they want to use it.
So to say there's a Critical issue with linux isn't suprising, its how they go about correcting the issue and getting it resolved, and how easy that process is etc. Now you're telling me I have to upgrade my OS to correct the issue with this? That's more of an issue here as how many people out there in the general user group are going to download the new beta program of the next version of Ubuntu and load it up just to fix an issue with this? If there's isn't a way to automatically download an apply the patch and make that issue seemless for the user, then as any other software out there it will go unnoticed, remain a security issue and make linux just as easy as a target for people to attack.
Finally, note that free software distributions like Debian, clearly label n binary blobs required by the Madwifi drivers as non free and these are not included by default.
The point that PC World misses is that non free has problems in both the Linux and Windoze world. The magic of GNU/Linux is that it's Free Software. When you mix in binary blobs, you are once again a helpless user. Others have noticed that Atheros does not release specifications required to build drivers. That's too bad, but they are not the least friendly wireless company.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
There is a huge propaganda (AKA PR) machine for microsoft powerful enough to keep most users (>50%) on windows even if microsoft stopped upgrading and kept us at windows 98.
Its understandable that anybody using alternatives has to explain or promote their alternatives because:
A) the ignorant ask them WHY
B) their competence is questioned (it must be the best if everybody uses it right??)
C) little is reported unless its negative(free) except for paying customers (advertisers or large chunk of the readers)
D) a small user base hurts any platform and increases how often they have to put up with A and B
What we should be highlighting is the horrible hardware vendors who give next to no help and often write poor quality drivers in general. This problem is a windows issue as well.
Democracy Now! - uncensored, anti-establishment news
This sounds like paranoia. Everyone knows Linux is U BEN PWN3D BY THE SUPR HAX0R BOW B4 MY L33T SKILZ the most secure OS around!
Fedora does use up2date for automatic notification of patches. Your problem, however, is that FC3 is no longer supported, so there will be no more official updates for it.
/var/log/rpmpkgs
;)
Madwifi is pretty much the only game in town if you are using linux drivers for atheros chipsets. Unless you want to use ndiswrapper for windows binary drivers (bleh), which would not be installed by default.
rpm -qa|grep madwifi
grep madwifi
I concede that the above information will probably not be known by the "average" linux user who justs wants a point and click desktop environment. I love KDE, but I ALWAYS have a konsole session open.
You moved to Linux because it wasn't Windows; not because it was Linux. Sounds like you're on the verge of realizing you had unreasonable expectations. Keep it up!
Okay, what is it about the "average user" that makes Linux not ready for prime time?
Okay, now you're talking about Windows. And I'll disagree about 90% of Microsoft's security problems being the fault of the users. The default install of a system should be secure enough WITHOUT requiring the users to know how to secure it.
And by "something" you mean "plug it into the Internet as it was advertised".
Meanwhile, Ubuntu ships with NO open ports by DEFAULT. So I can plug it straight into the Internet in it's default configuration.
And with Ubuntu's default installation, that is not a problem.
But it is a problem with Windows.
But you say that that means that Linux is not ready for prime time.
Users will always install vulnerable apps. You cannot compare two systems based upon what the admins of those systems can or cannot do with them. Instead, compare the default installations and how their security models are implemented.
https://www.scientificlinux.org/
;) I've never used it, I just know about it.
Might be worth a look for you at least
My blog. Good stuff (when I remember to update it). Read it.
If this was a Microsoft flaw there wouldn't be any talk of "good PR" in releasing a patch quickly, or any other positive angle. There would be reply after reply about Microsofts' code being bloated, the evils of closed-source, monopolistic tactics, that one time when Bill Gates stood on a cats tail by mistake, etc. Linux isn't the only golden boy, Firefox (vs IE), Google (vs big nasty corporations), etc get just as much ridiculously transparent partisan treatment.
Vulnerabilities, particularly serious ones, are never good news. At the very least it would cost businesses who have deployed Linux engineer time in fixing (applying patch(es)) the problem, it generates uncertainty in the market - it creates the potential for business managers who just scan the IT news pages to say "didn't Linux have that serious problem not long ago?". This much is true of any OS, particularly one that businesses need to rely on.
I'm a firm believer in open-source, and I use both Windows and Linux in equal measure both at work and at home. I don't however believe fundamentally that the fact Windows and IE are closed-source automatically make them "poorly written". As has already been remarked a lot of this comes down to usage statistics... with a 90%+ market share you can guarantee that every hacker out there is trying to find fault in every single DLL that Windows ships with. As Linux gains more traction in the desktop & server markets as time goes on you can be sure that there will be most vulnerabilities like this being found. Programmers make mistakes, and there is no such thing as bug-free software.
I really wish Slashdot could dispense with the hidden agendas, partisan attitudes and blatent fanboyism and not sweep serious vulnerabilities like this under the carpet as if they aren't a big deal. Dimissing them as trivial is - if anything - more damaging than giving them the proper attention.
It doesn't matter which operating system you use - they all contains buffer overflows.
I've worked on at least one system with hardware/firmware/OS protection against buffer overflow and other memory access issues. I'm certain there are others.
The article mentions a software debugging technique known as "fuzzing'.
What are they talking about?
You won't be getting any updates for FC3 since the Fedora Project has dropped support for that. If you like the Fedora distribution you can go with FC6 or wait for May 24 when FC7 is due to be released. Otherwise, Ubuntu is a fine distribution.
Try this:
What? ®
Last time I used Fedora was over 2 years ago. At that time, there was no decent gui font-end to yum. Anyways, all you need to do is to type yum equivalent of apt-get update && apt-get upgrade.
Another important thing is your release being supported. I know the fedora legacy project was introduced to support older releases, but they're being shut down now. Last update to FC3 was made almost half a year ago.
If you don't want to upgrade your distro often, Ubuntu LTS (long term support) might be a good solution. They will release patches for 5 years. Last one (6.06, Dapper Drake) was released in June 2006 (we'll probably have to wait a full year for the next LTS, at least that's what M. Shuttleworth is predicting). By default, Ubuntu shows a icon in a taskbar whenever there are some updates. You can, however, choose the option of having them installed automatically.
Isn't one of the selling points of the MicroKernel (like mac OSX) supposed to be higher driver security since everything is walled apart?
Some drink at the fountain of knowledge. Others just gargle.
So what's better that "Linux boxs compromised!"... It doesn't care that it's already fixed, even if was fixed 4 months ago... There's a need of news so any news that yells to you it's ok :/
ghostbar page.
Funny how this didnt make /. till after the patches were heading out, and i read about it a week or so ago...
Wait! Someone got WiFi to work in Linux!?
Okay, easy...just saying this is one area that's always been behind in Linux.
http://www.archlinux.org/
Dude, what the fuck is the matter with you? I just hit your site and read "It's not just wrong, It's illegal". Please allow me to quote:
"Another result was the fact that even now it is uncommon to find alcohol for sale anywhere other than dedicated beer and liquer stores. You can not, for example, buy wines or beers in corner shops or even many supermarkets, as is common in much of the rest of the world."
How many times have you visited the U.S.? Have you visited any states besides Utah? Provided they are of age (21), An individual can buy beer and wine just about anywhere, i.e., Supermarkets, petrol stations, etc... - In Texas, California, Oregon, Arizona, New Mexico, Idaho, New York, and on, and on, and on....
David Chisnall, you are an ignorant ass.
I'm not trying to be mean but maybe it's time to switch to FreeBSD. I've been a Slackware user for over 12 years. I've switched a couple of machines to FreeBSD after I realized the direction the kernel and community was heading. It been two years since the first switch and the BSD machines do work as well as the linux ones. I switched also for the lack of dependence on one head person. I learned with slack if the leader is down for some reason you could be sitting in limbo awhile.
That's because you have not gotten your head around the fact that peer review makes for better code.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
A secure language is one you know how to use, have decent experience with, and which makes it easy to find and patch bugs. Simply put, even the most "secure" language can give security vulnerabilities if you write sloppy code without knowing your stuff.
h e){
//implement this latter
... ] but because they don't fix the problems everyone know exists. Another problem is that they deliberately break their APIs to stiffle competition, meaning third parties can't really know what their code is REALLY doing, or worse yet, what it will be doing when the next update is rolled out. It is a recipie for disaster.
Ever seen this?:
try{
dangerousStuff();
}
catch(MajorSecurityExceptionThatNeedsToBeDealtWit
}
Now people, don't claim that you never do it yourself, because at some point in time, when you didn't know better, you did something just as bad. This happens. It isn't the end of the world. What does cause problems, however, is ignoring the problems once you are aware of them. OpenBSD is secure, not because it has some superior language or whatever, but because they audit their code and fix problems. Windows is insecure, not because it uses poor languages [ well, not ONLY because of that
am I at risk?
So at the same time it doesn't bother you at all when the linux core developers found a "code security review project" that uses hi-tech tools (static code analysis and such) and good old auditing to find vulnerabilities.. But they have never in the past 5 years so far announced any holes? You are not bothered at all that hundreds of vulnerabilities have been fixed in silence masqueraded as "uhh I rewrote this because the old version sucked, it was too slow etc etc" ?
Stop spreading your silly FUD and smell the coffee. If ever possible the linux core development is even crappier.
If you're using Fedora Core 3, I would recommend you to migrate to CentOS 4. It is based on RHEL which was based on Fedora Core 3 (more or less), so hardware compatibility should be perfect. It still has 4 or 5 years of security updates available.
It is possible to make an upgrade from FC3 to CentOS by using yum, but I would not recommend it. A clean install would be your best bet.
crontab -e
# cron for root
# update system at 4AM daily
0 4 * * *
Even easier:
su -
service yum start
Enabling nighly yum update: [OK]
I use [linuxdistro] and am a firm believer in open source software, but we just can't pretend that [securityflawfixedmonthsago] isn't a big deal. Your average Joe user isn't able to install a patch and this just proves that Linux is not ready for the desktop.
touche!
What? ®
Yeah, I know FC3 is no longer supported. (Why do you think I read /. ? I have to find these things out somewhere!) I've tried live CDs of FCsomething (don't remember which one) and CentOS, none of which would deal with my hardware. So, I'd probably be kind of dumb to set up automatic updates, no? Or are they smart enough not to touch things that would break? I've used yum (command line), and synaptics+apt-get, but the real problem, as folks have pointed out, is that FC3 and its repositories are dead letters at this point.
I *think* my problem is mainly nonstandard video/graphics stuff, but figuring out drivers, dealing with modules, and recompiling kernels freaks me right out. The good news is that -- crosses fingers hopefully -- so far everything works, and next year there's a new laptop in the budget.
I've actually been using Kubuntu on another computer for a while now (since late Breezy days), which is the reason I wish I could get it running on my main machine. I'm waiting for Feisty with bated breath in the hope that it might work on my hardware. Thanks for the link to scientificlinux. Looks interesting. Thanks too for the command line tips. Useful. I do have madwifi on my system. So now I'm wondering how vulnerable I really am. In order to hack into the wireless, wouldn't the hacker need to be within wireless range? I live in a working class neighborhood with lots of 60" plasma displays for watching football, and no other computers. (We've got six, or is it seven?, to even up the balance.)
Soooo... There's a 'critical' security flaw in an already security flawed technology?.. Where's the real news? Wifi is insecure anyway, and any hacker with real skill will take control of any machine using wifi.
Makes one wonder how much the author was paid to run this junk. After all, there is that big Vista-security pitch going around that this type of crap helps boost.
I mean there is an actual fix for it.
Well, never underestimate the stupidity of the media when relating any 'newsworthy' garbage that helps fill their pockets with green.
oh...A serious bug in Linux, Hows that possible? Its developed by God... oh wait, thats not true...Its just another s/w product and lets bash Microsoft for fun...
What does it mean for IBM (which is a corporation) to have an opinion?
I'm not an official mouthpiece of IBM when I'm posting on Slashdot! It's just a disclaimer (more for IBM's benefit than for mine).
Cheers,
Toby Haynes
Anything I post is strictly my own thoughts and doesn't necessarily have anything to do with the opinions of IBM.
i especially love the sub-title for this story. suddenly we all have balanced views on security.
It's OK Bender, there's no such thing as 2.
Any chance you want to mention what the brand and source were on the $30 USB dongle?
I'm always looking for more known-good Linux wireless hardware that's actually being sold in stores (as opposed to the vast majority of models that are known to be working and which you can't find except for inflated prices on eBay...grrr).
I had just written off all USB wireless peripherals as a vast sea of Windows-only non-standards-compliance...
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
#2 is the correct answer. You can have a 100% stable system so long as you are willing to deal with a few restrictions:
1) It can only run the software it was designed for, on the hardware it was designed for. You may not, at any time, upgrade it. The whole system will have to be re-verified if you do.
2) You can only access it in approved ways. You can't plug random devices in to it. Whatever the spec is for how it is going to be accessed, that'll be the only way allowable.
3) You can't have it right now. Development and testing is going to take a long time.
4) It is going to be expensive, because of all the testing and additional hardware.
but it does not prove what you say:
This issue has nothing to do with non-free. The fix was in the free portion of the code, according to this link. Moreover, the bug was not found due to it being open source. It was found by testing. So just by virtue of being FOSS, software does not become miraculously bug-free.
First, a diff file to the free section does not prove much because you won't see changes in the non free side. Not being intimately familiar with the code, I can't tell what's going on and no one without access to all the relevent code could ever be completely familiar with it. Even still, you are right about beating as a method of finding problems. That's the way people do it. The difference here is that a fix would have been easier and faster if all of the code was available. I'll also say that the flaw would have been less likely to occur if all of the code was available.
You are also right about there being no magic to free software - peer review is science, not magic. Getting things right with binary blobs is luck or magic and that's part of the reason there's a problem and we are having this little conversation.
When this happens with a free driver, you can put it in my face. Until then, the score is non free -1, again.
For the driver to be completely free, Atheros would have to create a chip incapable of violating FCC regulations, ...
If this is true, how is it that any free drivers exist?
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
Right, but the fact that it's partially closed source, and thus not in the upstream kernel, means that it doesn't get anywhere near the same rigorous review & testing that upstream kernel drivers get. Hence: bugs ahoy. Especially nasty security ones.
See also: nvidia.
Also, current FC uses yumupdatesd. However, if you are running stock Fedora, you are not running MadWifi, as Fedora will not distribute it due to licensing issues, AFAIK. You only need MadWifi if you have an Atheros-based NIC (there's an exhaustive list at madwifi.org). If not, don't worry about it. Disclaimer: Fedora maintainer and madwifi user.
You are not the customer.
What kind of graphics card? I find it unusual that you have a graphics card that works in a old distro, but not in a new one, it's usually the other way around. It might be a issue with a kernel setting I suppose. I know I've had to add some boot options to Ubuntu to get it to play nice with a older laptop I have (forget what, something about disabling APIC or something like that).
Curiosity was framed, Ignorance killed the cat.
ATI Radeon Mobility 7500. I may be wrong on this, but I have the impression that custom drivers were written for some of the hardware I've got and the kernel was compiled with those modules. Does that make any sense? I don't know if I'm saying it right. What I mean is that I have the impression everything depends on everything, and if I pull one thread, the whole thing might unravel.
are compilers that have been proven to be correct (i.e. to adhere to the operational semantics of the language it compiles.). I can't remember the compiler offhand though, it's probably one of the ML ones. Of course that doesn't mean that there isn't a bug lurking somewhere in the C library that the compiler (or the runtime!) probably uses at some level.
I think Knuth said it best: "Beware of bugs in the above code. I have only proven it correct, not tried it."
Generally, a lot of the difficulty in proving code correct comes from the mainstream languages' adherence to the Turing Machine model, i.e. mutable state. If you program in a language with referential transparency, say Haskell, it suddenly becomes much easier to prove that your code is correct -- certainly not trivial by any means, but much easier. Some say it makes actual programming harder, but frankly I don't find it that hard since it almost automatically leads me to write more correct code. The reasons could be many, but I suspect it's mostly because it tends to force me to think more before actually writing any code. That and a vastly richer type system which lets me *gasp* embed proofs into my code. And the fact that you have to write less (boilerplate) code overall. And...
HAND.
it's that difficult, at least from a technical perspective. As I see the problem is more of a social/practical one than a technical one. The fact is most drivers are written in unsecure languages (C or C++). All you need for safer drivers is a programming language such as Occam. Occam can make static guarantees about memory use, process isolation, etc. and you end up not needing hardware protection at all. Now, getting the whole world to change their compilers to output Occam instead of C/ASM isn't exactly easy, but it's a social problem, not a technical one.
:))
(Of course, I'm not naive enough to think that this will actually happen, but I think it's worth pondering. And in the meanwhile we can be happy that hardware-based virtualization seems to be here to stay.
HAND.
std::string is not secure. The standard does not mandate bounds checks on its operations; this is a consequence of the STL not mandating exceptions and many of std::stirng's functions returning references.
HAND.
Why? First and foremost because the ML language prevents you from doing things you shouldn't (your phrasing), namely violating the type system. Secondly because it's type/module system actually supports abstraction in useful and meaningful ways.
HAND.
Hmm, most drivers in Linux are modular and loaded on demand during the boot process. Graphics cards usually don't require a particular driver until you startup your X server, although with most distributions aiming for point and click operation the X server is just about required to boot. That being said, I know that Ubuntu has a boot option that says something like "Boot into safe graphics mode" that represents a lowest common denominator and should boot safely on virtually and graphics card. As for other hardware, that could be an issue. When you say custom drivers were written, who wrote those drivers, and how did you get them? I doubt FC has drivers in it that the other distros don't, although it may be the case that they arn't compiled by default in other distros. If you really want something up to date, and you have some strange hardware that drivers are available for, but not normally compiled, you may have some luck with Gentoo, although it can be daunting to install even for technical users. In general, if you follow the walk through on the Gentoo website exactly as it says, and have all your hardware information written down beforehand so you know what kernel modules to compile, it's time consuming, but not that hard.
Curiosity was framed, Ignorance killed the cat.
... something can keep you from writing insecure code. I just demonstrated one way to keep yourself from writing code which was vulnerable to SQL injection. You can use a similar trick to prevent yourself from writing a HTML/XML templating engine which allows quoting or cross-site scripting bugs. You can use a similar trick to prevent array index overflows while still permitting the elimination of most run-time array bounds checks (by 'blessing indexes'). In fact, this simple abstraction trick applies to most types of security problems which actually occur in practise. Just those three categories of security bugs probably cover more than 90% of all security issues which are typical today.
In more general terms: You write a small "kernel" which can be trusted (prepare_stmt in my example) and you've effectively forced yourself (and others if they use your module) to write secure code everywhere else.
HAND.
The issue was completely burried in the open source part of the driver. If you look at the original report and the actual fix that would be quite easy to spot. I fail to see why not having access to the source of not even involved parts of the driver would have helped to solve this issue easier and faster.
Are you telling me that there's no additional complexity to not having all of the source code? That a rigid API is something that has no coding cost? Would it be easier if the whole thing was free or not?
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
madwifi http://www.milw0rm.com/exploits/3389
Okay, time to come out of the closet. The hardware is a Sharp MP30 laptop and came with Linux pre-installed. The Emperor Linux people are the ones who made everything work (2 years ago, no less, when it was all pretty cutting edge). The kernel is even called "empkernel"-something-something. It's worked exactly as advertised, but those Emperor Linux laptops aren't cheap. Gorgeous, light, and the whole nine yards, but not cheap. Hence the need to pace myself. ;-}
Graphics cards usually don't require a particular driver until you startup your X server. Interesting you should say that. That's exactly where the boot process craps out whenever I try any other distro.
I keep telling myself that I'm spending more time worrying about it than it would take me to just carefully follow directions and try some of the stuff that feels so adventurous. And who knows, one of these days I just may get off my procrastinating duff and do it.