Exploits Emerge For Linux Privilege Escalation Flaw

angry tapir writes "Linux vendors are rushing to patch a privilege escalation vulnerability in the Linux kernel that can be exploited by local attackers to gain root access on the system. The vulnerability, which is identified as CVE-2012-0056, was discovered by Jüri Aedla and is caused by a failure of the Linux kernel to properly restrict access to the '/proc//mem' file."

Re:Hrrm

[Mad+Merlin]

Rule #1: There is no such thing as 100% secure. Even 100% bug-free cannot be considered 100% secure.

There's also no such thing as 100% bug-free.

Rule #3: All security is ultimately "security through obscurity."

While in the strictest sense, this may not be untrue, to phrase it that way is extremely dishonest. An encryption algorithm that relies on the secrecy of the algorithm is totally worthless (security by obscurity), whereas an encryption algorithm that relies on the secrecy of the keys used for encryption is quite useful (not security by obscurity in the normal sense).

In fact, if you want to be pedantic about it, the relevant definition for obscure is...

not readily understood or clearly expressed; also : mysterious [1]

Which is about understanding and not so much about knowledge. I may understand that I need a username and password to log into your system, just because I don't know what the username or password is doesn't make it security by obscurity. In fact, say I wanted to break into your house, I may have seen you use a physical key to open the front door and walk in and I may have even memorized the pattern of teeth on the key, but it does me no good if I don't have a key of my own to open the door with. There is certainly no obscurity in that security.

If you're going to go ahead and say that all security is "security through obscurity", then you may as well make the next logical step of not implementing any of it.

[1] http://www.merriam-webster.com/dictionary/obscure