Slashdot Mirror
Linux 4.3 Released As Stable; Improves On Open-Source Graphics, SMP Performance (lkml.org)
An anonymous reader writes: The Linux 4.3 kernel was released as stable today. The Linux 4.3 kernel brings Intel Skylake support, reworked NVIDIA open-source graphics support, and many other changes with the code count hitting 20.6 million lines of code.
This is Linux so putting in random USB sticks is largely a non-issue.
Running stuff (especially as root) off random USB sticks is always a bad idea on any OS of course.
I was reffering to BadUSB, which is for example the USB firmware suddendly adding a fake USB keyboard and running running curl | sh through ALT+F2, or maybe adding a USB network adapter that proxies your traffic through an attacker machine, or really all sorts of other fun things you could imagine.
This isn't the things I'd worry about, but properly done rogue firmware is definitely among the 1% scary attacks.
Most importantly, you have to trust those parts of the kernel code that you run and very few other people do.
Big bad exploits get caught. Sneaky ones can hang around for awhile.
You have 11 choices. You can either 'Learn' the code, or you can 'Trust' the code, and lastly you can 'Not Use' the code.
Most of them are related to drivers for a host of peripherals as well as other architectures and features your computer may not even have. So most code is largely untouched.
Here is a neat comparison: http://www.informationisbeauti...
Custom electronics and digital signage for your business: www.evcircuits.com
Hey, don't forget the microcode on the chip. Or, rather, do forget it. "They" insist.
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
If I upgrade to this kernel, how many of those lines of code do I actually have to trust not to give away everything on my machine to a black hat? Hopefully less than 100k lines of code are actually critical.
Depends on your threat model. If your "black hat" can plug malicious devices into your machine quite many but then your security is probably badly compromised anyway. If he's within wireless range then a few stacks like Bluetooth, WiFi, WiDi etc. if you have them enabled, but if that's a realistic fear I'd simply use wired accessories. If he's got a local user there might be many vectors for an escalation attack, but then he's already got a foot in the door. For packets coming down the wire from the Internet, there's some as the kernel does parsing, routing, firewalling and so on. But for the most part it's userspace clients like your browser or daemons like sshd that'll contain the primary exploits. Kernel bugs are mostly to go from limited access to full access.
Live today, because you never know what tomorrow brings
"and the performance testing results are encouraging. Nevertheless we need to keep
an eye on potential regressions, since this potentially affects every SMP workload
in existence."
http://lkml.iu.edu/hypermail/linux/kernel/1508.3/04818.html
There's no way to quantitatively measure that. But I do know that between the 3 major monolithic kernels, it's in the top two in trust and competently-written code.
Drugs, violence, and duck tape. Any of them is the solution to anything.
Circumcision is child abuse.
Depends on your threat model. If your "black hat" can plug malicious devices into your machine quite many but then your security is probably badly compromised anyway.
Compared to... what, exactly? A networked Windows box with the fefault CIFS client for printing and drive access enabled publishes the entire hard disk as the hidden crive \\ipaddress\c$, *always*, it's a nightmare to turn off.
Compared to... a secure system. If someone can plug in devices they can probably install hardware keyloggers, spy cams and anything else they need to compromise your credentials the next time you log in. You can't trust a machine that's been tampered with any more than you can trust software that's been patched, whether it runs Linux or some other OS.
Live today, because you never know what tomorrow brings
You're confusing all the Windows on here ..
You have to assume it's compromised.
“Common sense is not so common.” — Voltaire
Firmware is just a fancy word for software. I write firmware for a living. Most of the fear around it is because many don't understand what firmware is.
The very nature of having code that runs on a processor that is isolated from the rest of your system is generally considered a good thing in security, and that's all firmware really is. Now what your computer does with the output of that firmware is really what has been overlooked for years.
“Common sense is not so common.” — Voltaire
I don't have the intel graphics driver loaded on my sysem.
“Common sense is not so common.” — Voltaire
The fact that it existed as a default for sooo long though... I mean, at what point in time did that seem like a Good Idea ?
Don't blame me, I voted for Kodos
dude, you missed like 8 choices
Actually there are 100 choices..
Trust the code
Don't use it
Write your own
Use an OS that sandboxes it by default, and only gives it the capabilities you supply.
The fact that it existed as a default for sooo long though... I mean, at what point in time did that seem like a Good Idea ?
Probably at the same point in time that it seemed like a good idea to enable SSH to a box. I mean, oh my god, with the root password (or an account that has sudo privileges) someone could remote in and access the whole computer!
The administrative shares on a Windows box really aren't all that different, you need an administrative account (root) to use them and if you have an administrative account you get full access. You could argue that they are "hidden" and not well known, but I would counter that are plenty things on the Linux side of the world that are not well known and can lead to serious security exposure (SSH port forwarding to bypass firewalls for example.)
Security in any environment requires that those using and configuring systems understand how they work and assign the appropriate access to the appropriate actors. All environments have their security strengths and weaknesses.
This is Boolying.
dude, you missed like 8 choices
there are 10 kinds of people: people that understand binary and people who don't.
Anons need not reply. Questions end with a question mark.
> This is Boolying.
.AND. ?
>> You're confusing all the Windows on here .. :)
Don't care, this is a Linux article
aaaaaaa
All of them is the solution to anything.
FTFY
Sleep your way to a whiter smile...date a dentist!
Passwords are for protecting against remote bruteforcing. For local protection you lock the door.
Yes, but you can put a password on your computer that I cannot brute force.
You cannot put a lock on your door that I cannot bypass, likely without you even knowing it was bypassed.
with the code count hitting 20.6 million lines of code
Linux' technical capabilities are all well and good but we'll know that it's truly surpassed Windows when it can claim just as many (if not more) lines of code...
I kid, I kid!
Drugs, violence, and duck tape. Any of them is the solution to anything.
Especially if you cook the duck.
> This is Boolying. .AND. ?
You're obviously full of bool.
All of the lines that you use.
Same as ANY OTHER OPERATING SYSTEM OR APPLICATION.
Were you expecting a different answer?
And have you EVER inspected the code to any program fully enough to satisfy your curiosity that it doesn't do anything you don't trust? If so, are you aware of the Obfuscated C contests?
Sorry, but for even a skilled coder, there is NO WAY you can audit this amount of code single-handedly and you have to take it on trust. Same as everything else.
Even the TrueCrypt audit didn't catch all the problems and THE DAY AFTER there was a bug found in it. And that took years to arrange.
Real programmers know there's one more option...
Log in or piss off.
Is your firmware microcode? Otherwise I agree that firmware is just code stored on an ROM. Still, this doesn't mean it isn't something to be afraid of it you don't trust it.
I think we've pushed this "anyone can grow up to be president" thing too far.
While that's generally true, there have been cases where common code has had potential exploits that have hung around for decades.
I think we've pushed this "anyone can grow up to be president" thing too far.
DUCT. TAPE. NOT DUCK.
It's not hard.
Fucking millenials.
In his/her defense there is a brand of tape called "duck tape".
Heartbleed, for one, but once it's "outed" something like Heartbleed is addressed quickly.
If you're running a bit of the kernel that applies to 1% of the users of an obscure 1% piece of hardware and that bug gets outed - response time to fix that bug will probably be less impressive.
If an exploit exists in the code and nobody knows about it (or, more importantly, uses it), does it really matter?
On my network, the active directory sets the following registry key HKLM\System\CurrentControlSet\Services\LanManServer\Parameters\AutoShareWks to 0. It's not really a nightmare to turn off, fairly trivial? If I can do it trivially at home, surely you can do it in your corporation.
You could use one of the numerous end point security solutions out there for windows? I've found Lumension to be quite difficult to bypass, even when you have administrative rights to a system.
Change is certain; progress is not obligatory.
They are enabled by default with Windows file sharing and fairly trivial to turn off through a registry entry.
Change is certain; progress is not obligatory.
s/Wrong, you ignorant fuck/Here's something you may be interested to learn/
Phew, now I can read your otherwise informative reply without bemoaning your inherent hostility. Yeah, I know, the OP was just as bad. Don't let that detract your response, though!
Something else to add to the discussion. The name "duck tape" _may_ be because of the duck cloth backing. Another theory on the name comes from the tape being waterproof like a duck. Even one more theory is that it was named after the DUKW amphibious vehicle.
http://www.abc.net.au/science/...
I'm only concerned if I'm giving it sensitive information. Of course the classic hack is to have your exploited mouse or whatever act like a keyboard and type something, or a storage device and boot something. It doesn't take much effort either and nobody offers a software signing service for USB peripherals.
Also when you say microcode, I don't think it means what you think it means.
“Common sense is not so common.” — Voltaire
*shrug* I'm just trying to be helpful and point out that you're acting as bad as the original poster, therefore your response loses significant worth. That's a pretty good reason to be polite. It's up to you whether you want to take the point, or let loose with more ad hominem responses.
You also need to look up the definition of condescension and pretentious. I do not think they mean what you think they mean.
That's it from me. I'll respond no more on this topic, so feel free to have the last word.
dude, you missed like 8 choices
there are 10 kinds of people: people that understand binary and people who don't.
The top poster was right.
There are 11 kinds of people: people that understand binary and people who don't.