It's not distro specific. Every distro of every OS has unknown exploits associated with it.
This is a prime reason why OSS is the only rational solution. Proprietary software companies such as Microsoft will first deny that there is any security problem. Then they will admit that there is a security problem but refuse to tell anyone what it is for security reasons and will empasize with political clout that they and only they are allowed to work on it. They will refuse help from any outside source.
This is really the heart of the issue: the unknown exploits. I've often been at the forefront of theorizing about possible vectors for unknown exploits. I'm usually flamed severely for it. The fact of the matter is that these unknown exploits exist and people need to be ready to deal with them.
If a "bad" hacker comes up with a new root exploit he's not going to e-mail all of the "good" hackers and let them know. He's going to make use of it mercilessly until he's noticed and caught. Microsoft ignores this issue outright and the OSS community tends to skate around it. If the computing public as a whole knew the facts about security then McAfee and Norton wouldn't even be in business. "Updating virus definitions" twice a week is still going to be ten weeks behind the hardcore caffeinated malicious hacker.
The OSS community has dealt with this issue in the most productive manner possible: complete openness and timely notice. Microsoft, on the other hand, would happily allow millions of users to remain compromised for months or years until their internal programmers manage to find the "unknown local root exploit". This could easily result in identities and credit card numbers stolen, bank accounts infiltrated, and possibly even malicious interference with real life relationships and employers just for fun.
Should the software manufacturer be liable? No. Should the user be entitled to know? Yes.
The OSS community is the only solution which addresses this situation correctly.
Government involvement is bad. It is flat out bad. It will always be bad.
Laws are written with the best intent. Intent aside let's get back to reality. No one has more perserverence than a person with a grudge. If it takes 10 people working 40 hours/week to find the one obscure law that will help one person then the cost-benefit ratio cannot be justified in the funding committee. If it takes 20 people working 80 hours/week to find the one obscure law that can be twisted around to convict a person (rightfully or wrongfully) then the funding committee will decree "let justice be served."
Empirically laws are selectively enforced and abused. The original good intent is lost to malice, avarice, greed, and spite.
Don't you check kernel.org at least once per week?
Not really finding anything that's particularly necessary in 2.4.x I have thoughtfully considered backgrading to 2.2.x. I can't find any 2.4 attributable problems however. Now that I'm here I'll probably stay here unless a network security hole that's 2.4 specific slaps me in the face.
I want to ride the particle accelerator first. I'm the best candidate to notice any flaws in the mechanism and ensure its safe use for upcoming riders.
Pay heed to the noble knight. Let's not turn this into a flame war. When it comes to competing against corporate feature/backdoor-ware we're all in this together. If we stand at the line and look at the Linux crowd then let's do this in a friendly manner. Let the best man win. Talk about strengths.
That said: Debian is an awesome primer to get to the meat with LFS.:-)
Companies routinely watch employees using network administration tools (ie. backdoors). Placing an icon in the tooltray doesn't negate the definition of a backdoor. It's only natural that someone does it to them.
And the world continues to go 'round...
The real question is: If an employee tests the ethics of their management by tempting them and the management oversteps the line what recourse does the employee have? At what point is management criminally stalking the employee?
When the owner of the bug is your manager things get hairy. He doesn't want to admit the flaw to his superiours. He doesn't want you to show the flaw to his superiours and he will make your life hell as long as you know about the bug. He'll probably make it part of your year-end goals to fix the bug. Since he doesn't want the people above him to know about the bug he'll also have you do a few dozen other things to obfuscate the real target of your daily duties.
At the end of the year when the bug still exists and you haven't fixed it for him then he'll find a way to tell human resources that you are an incompetent employee who the company would be better without.
If you did manage to fix the bug then he'll take the fix and show it to his managers. They'll turn pale at seeing the bug and then breathe easier when he provides the fix. They'll never ask who actually created the fix.
Congratulations for finding the bug.:-) Don't ask for any sort of compensation. Bug-tracking isn't part of your job. Your job is to do exactly as your manager tells you. If you persist you may be terminated for insubordination--performing duties which your manager didn't specifically assign to you.
The overflow comes from faulty fault-testing of the input. This is no better than installing a car alarm with an on-off switch mounted on the dashboard. It's impossible that someone didn't know about this sooner.
If people were half as critical of their code as they are of me we wouldn't have root exploits that span three versions.
For all of those who are immediately trying to start a mailclientxyz bandwagon: Have you checked *your* buffers lately?
Slashdot Mirror
It's not distro specific. Every distro of every OS has unknown exploits associated with it.
This is a prime reason why OSS is the only rational solution. Proprietary software companies such as Microsoft will first deny that there is any security problem. Then they will admit that there is a security problem but refuse to tell anyone what it is for security reasons and will empasize with political clout that they and only they are allowed to work on it. They will refuse help from any outside source.
This is really the heart of the issue: the unknown exploits. I've often been at the forefront of theorizing about possible vectors for unknown exploits. I'm usually flamed severely for it. The fact of the matter is that these unknown exploits exist and people need to be ready to deal with them.
If a "bad" hacker comes up with a new root exploit he's not going to e-mail all of the "good" hackers and let them know. He's going to make use of it mercilessly until he's noticed and caught. Microsoft ignores this issue outright and the OSS community tends to skate around it. If the computing public as a whole knew the facts about security then McAfee and Norton wouldn't even be in business. "Updating virus definitions" twice a week is still going to be ten weeks behind the hardcore caffeinated malicious hacker.
The OSS community has dealt with this issue in the most productive manner possible: complete openness and timely notice. Microsoft, on the other hand, would happily allow millions of users to remain compromised for months or years until their internal programmers manage to find the "unknown local root exploit". This could easily result in identities and credit card numbers stolen, bank accounts infiltrated, and possibly even malicious interference with real life relationships and employers just for fun.
Should the software manufacturer be liable? No. Should the user be entitled to know? Yes.
The OSS community is the only solution which addresses this situation correctly.
Government involvement is bad. It is flat out bad. It will always be bad.
Laws are written with the best intent. Intent aside let's get back to reality. No one has more perserverence than a person with a grudge. If it takes 10 people working 40 hours/week to find the one obscure law that will help one person then the cost-benefit ratio cannot be justified in the funding committee. If it takes 20 people working 80 hours/week to find the one obscure law that can be twisted around to convict a person (rightfully or wrongfully) then the funding committee will decree "let justice be served."
Empirically laws are selectively enforced and abused. The original good intent is lost to malice, avarice, greed, and spite.
Happiness is fewer laws.
+++ATHZ
Don't you check kernel.org at least once per week?
Not really finding anything that's particularly necessary in 2.4.x I have thoughtfully considered backgrading to 2.2.x. I can't find any 2.4 attributable problems however. Now that I'm here I'll probably stay here unless a network security hole that's 2.4 specific slaps me in the face.
+++ATHZ
I want to ride the particle accelerator first. I'm the best candidate to notice any flaws in the mechanism and ensure its safe use for upcoming riders.
Pay heed to the noble knight. Let's not turn this into a flame war. When it comes to competing against corporate feature/backdoor-ware we're all in this together. If we stand at the line and look at the Linux crowd then let's do this in a friendly manner. Let the best man win. Talk about strengths.
:-)
That said: Debian is an awesome primer to get to the meat with LFS.
Propaganda b***s**t typically is the longest post available.
If the liars can't win with lies then they try floods.
Companies routinely watch employees using network administration tools (ie. backdoors). Placing an icon in the tooltray doesn't negate the definition of a backdoor. It's only natural that someone does it to them.
And the world continues to go 'round...
The real question is: If an employee tests the ethics of their management by tempting them and the management oversteps the line what recourse does the employee have? At what point is management criminally stalking the employee?
When the owner of the bug is your manager things get hairy. He doesn't want to admit the flaw to his superiours. He doesn't want you to show the flaw to his superiours and he will make your life hell as long as you know about the bug. He'll probably make it part of your year-end goals to fix the bug. Since he doesn't want the people above him to know about the bug he'll also have you do a few dozen other things to obfuscate the real target of your daily duties.
:-) Don't ask for any sort of compensation. Bug-tracking isn't part of your job. Your job is to do exactly as your manager tells you. If you persist you may be terminated for insubordination--performing duties which your manager didn't specifically assign to you.
At the end of the year when the bug still exists and you haven't fixed it for him then he'll find a way to tell human resources that you are an incompetent employee who the company would be better without.
If you did manage to fix the bug then he'll take the fix and show it to his managers. They'll turn pale at seeing the bug and then breathe easier when he provides the fix. They'll never ask who actually created the fix.
Congratulations for finding the bug.
And don't ask questions.
fundamentals fundamentals fundamentals.
The overflow comes from faulty fault-testing of the input. This is no better than installing a car alarm with an on-off switch mounted on the dashboard. It's impossible that someone didn't know about this sooner.
If people were half as critical of their code as they are of me we wouldn't have root exploits that span three versions.
For all of those who are immediately trying to start a mailclientxyz bandwagon: Have you checked *your* buffers lately?
Indeed. As others have noted this article seems to be network Nazi propaganda encouraging everyone to register and identify.
Protocols will always have holes The solution is proper maintenance.