I am surprised that so many people don't realize that computer security is a business. It is in the best interest of the researchers or security companies to release advisories for the sake of PR. It is a form of advertisement for security guys, that is why they want to produce reports. When you work on a security exploit, you want to release it not for the sake of making things less secure; but to show off your work and knowledge.
Imagine you worked on a problem for a month an then told you can talk about it. The fact they are giving vendors some time to fix the problem shows how responsible they are. This is there livelihood and there are not going to wait for ever to make money. Oracle doesn't want to fix it because it cost money, but for everyday the researcher or security company waits; it will cost them.
The problem is the vanilla kernel already has alot of dirvers,fs,etc. I would like to see the vanilla kernel without drivers/fs/etc and just leave the barebones subsystems like vfs. Then use something like portage to add fs/drivers/etc patches to the base vanilla kernel.
For the people that what binary drivers, just stick with your distro. They are there for a reason, and if they don't provide the driver then bitch or change distro.
That is such a stupid comment. I can pick up a pencil and draw, or any other tool. Will it be good? I don't know; it is in the eye of the beholder. Same goes with coding; there is good code and bad code. Anyways, I don't think you can compare the two. You should compare coding to drawing or sculpting. The fact is coding can be very artful, just like math or poetry.
Here is an example:
From wiki http://en.wikipedia.org/wiki/Poetry:
"Poetry (ancient Greek: poieo = create) is an art form in which human language is used for its aesthetic qualities in addition to, or instead of, its notional and semantic content."
Now lets sed it:
sed -e 's/Poetry (ancient Greek: poieo = create)\(.*\)\human/Coding\1computer/'
Coding is an art form in which computer language is used for its aesthetic qualities in addition to, or instead of, its notional and semantic content.
Isn't this like saying images that I make in gimp are gpl? Granted the program must purchase the copyright to use the image format (ala gif), but the user doesn't. That is why when I use multiple graphics programs they each pay the license to use gif. Otherwise, I should be able to pay for one gif license and use it in multiple programs.
Network Throttling is nothing new, the honeynet project has been doing this for years.http://project.honeynet.org/tools/index.html
Now they are using Inline Snort (Snort + IPtables) to make a signature base firewall. Essential a layer 7 firewall, but with the cool feature to modify packets and not just block them.
It uses a hash table instead of a link list. It pretty much comes down to using more memory for better performce. Not really that hard of a thing to do. The preemptive scheduler is a little bit harder to do, but Robert Love mix alot of the SMP code to handle the inherited problems involved. A really sweet hack, if I may so myself. Hope that helped.
Actually the API for most drivers, is not that bad. Look at the usb subsystem, and the new input subsystem also looks good. Normal char devices have had a standard API for awhile now. So the issue your having is not in the code, but how the kernel is released. I posted about how this should be fixed to be more flexible and scalable for the future.
I sympathize with the SGI developers, about the inclusion of the xfs filesystem into the kernel. The reasoning for this is because there is a perception that something that is not included into the main kernel branch is unstable, which is absolutely wrong. So it is beneficial for a developers to have their module included into the branch, so it can be considered a proper part of the kernel. I think this is a major weakness to how the kernel releasing structure it set up.
Honestly, I would like to have this releasing structure changed. For example, filesystems don't need to be inside of the kernel branch, only the virtual file system. Let the distributions take care of putting all of the different filesystems into their kernel branch. The kernel branch should be the base point of all the other distribution branches. If you want ext2 in your kernel then go to the ext2 guys and grab the patch and apply to the kernel, no more inclusion. I have already heard people state that patching should not be done by a regular user, which is correct; but that is why you have distributions that have there kernel branches with all of the filesystems they think should be included. No more arguments why one module is inside of the kernel branch and the other isn't.
Linus and his maintainers can now only worry about the main system and let everyone else deal with there on patches. If your patch needs a change to the kernel branch then you talk to Linus and his maintainers. Which they decide if it is a good idea, or if you need to change something in your code. This would lower the amount of releases of the main kernel branch, since there is a smaller amount code that can be changed. Also the releases can be base on if a interface to the main system has been changed which effects the other patches, or just a fix to the internal code. This can lead to easier maintenance of other patches. The more code that can be taken out and put into there out tree the better. Kinda like having a hierarchy of trees.
This can lead to cool pseudo linux distributions where one can say I have xx branch of the kernel. This is already happening like mm-sources, redhat-sources, etc; But taking out the favoritism of the main kernel developers. This could also solve a problem with the size of the kernel source tree in the future when there is tons of different drivers,filesystem,etc.
This is just an example of what it could be like, and I am sure there is more that has to be look at; but think this approach has some credits.
Security is so much more then stopping the user at the door. There are always going to be 0-day exploits, which have no patches. The trick with security is mitigating your exposure. Getting root is not a successful hack, keeping it is. So what if someone rooted my box, if I can see it; I can deal with it. These latest big-profile comprises are actually good news because the attacks where not successful. It shows how well Linux can mitigate exposer, and how it layers it security. This is where Microsoft goes wrong with it's lastest methodology towards security. They think putting a firewall in place is all that you need, which is absolutely wrong.
Slashdot Mirror
I am surprised that so many people don't realize that computer security is a business. It is in the best interest of the researchers or security companies to release advisories for the sake of PR. It is a form of advertisement for security guys, that is why they want to produce reports. When you work on a security exploit, you want to release it not for the sake of making things less secure; but to show off your work and knowledge.
Imagine you worked on a problem for a month an then told you can talk about it. The fact they are giving vendors some time to fix the problem shows how responsible they are. This is there livelihood and there are not going to wait for ever to make money. Oracle doesn't want to fix it because it cost money, but for everyday the researcher or security company waits; it will cost them.
But do you see a cop at every intersection?
The problem is the vanilla kernel already has alot of dirvers,fs,etc. I would like to see the vanilla kernel without drivers/fs/etc and just leave the barebones subsystems like vfs. Then use something like portage to add fs/drivers/etc patches to the base vanilla kernel.
For the people that what binary drivers, just stick with your distro. They are there for a reason, and if they don't provide the driver then bitch or change distro.
That is such a stupid comment. I can pick up a pencil and draw, or any other tool. Will it be good? I don't know; it is in the eye of the beholder. Same goes with coding; there is good code and bad code. Anyways, I don't think you can compare the two. You should compare coding to drawing or sculpting. The fact is coding can be very artful, just like math or poetry.
Here is an example:
From wiki http://en.wikipedia.org/wiki/Poetry:
"Poetry (ancient Greek: poieo = create) is an art form in which human language is used for its aesthetic qualities in addition to, or instead of, its notional and semantic content."
Now lets sed it:
sed -e 's/Poetry (ancient Greek: poieo = create)\(.*\)\human/Coding\1computer/'
Coding is an art form in which computer language is used for its aesthetic qualities in addition to, or instead of, its notional and semantic content.
Isn't this like saying images that I make in gimp are gpl? Granted the program must purchase the copyright to use the image format (ala gif), but the user doesn't. That is why when I use multiple graphics programs they each pay the license to use gif. Otherwise, I should be able to pay for one gif license and use it in multiple programs.
Rich != Smart
S-M-R-T!! I mean S-M-A-R-T.
Network Throttling is nothing new, the honeynet project has been doing this for years.http://project.honeynet.org/tools/index.html
Now they are using Inline Snort (Snort + IPtables) to make a signature base firewall. Essential a layer 7 firewall, but with the cool feature to modify packets and not just block them.
It uses a hash table instead of a link list. It pretty much comes down to using more memory for better performce. Not really that hard of a thing to do. The preemptive scheduler is a little bit harder to do, but Robert Love mix alot of the SMP code to handle the inherited problems involved. A really sweet hack, if I may so myself. Hope that helped.
Actually the API for most drivers, is not that bad. Look at the usb subsystem, and the new input subsystem also looks good. Normal char devices have had a standard API for awhile now. So the issue your having is not in the code, but how the kernel is released. I posted about how this should be fixed to be more flexible and scalable for the future.
I sympathize with the SGI developers, about the inclusion of the xfs filesystem into the kernel. The reasoning for this is because there is a perception that something that is not included into the main kernel branch is unstable, which is absolutely wrong. So it is beneficial for a developers to have their module included into the branch, so it can be considered a proper part of the kernel. I think this is a major weakness to how the kernel releasing structure it set up.
Honestly, I would like to have this releasing structure changed. For example, filesystems don't need to be inside of the kernel branch, only the virtual file system. Let the distributions take care of putting all of the different filesystems into their kernel branch. The kernel branch should be the base point of all the other distribution branches. If you want ext2 in your kernel then go to the ext2 guys and grab the patch and apply to the kernel, no more inclusion. I have already heard people state that patching should not be done by a regular user, which is correct; but that is why you have distributions that have there kernel branches with all of the filesystems they think should be included. No more arguments why one module is inside of the kernel branch and the other isn't.
Linus and his maintainers can now only worry about the main system and let everyone else deal with there on patches. If your patch needs a change to the kernel branch then you talk to Linus and his maintainers. Which they decide if it is a good idea, or if you need to change something in your code. This would lower the amount of releases of the main kernel branch, since there is a smaller amount code that can be changed. Also the releases can be base on if a interface to the main system has been changed which effects the other patches, or just a fix to the internal code. This can lead to easier maintenance of other patches. The more code that can be taken out and put into there out tree the better. Kinda like having a hierarchy of trees.
This can lead to cool pseudo linux distributions where one can say I have xx branch of the kernel. This is already happening like mm-sources, redhat-sources, etc; But taking out the favoritism of the main kernel developers. This could also solve a problem with the size of the kernel source tree in the future when there is tons of different drivers,filesystem,etc.
This is just an example of what it could be like, and I am sure there is more that has to be look at; but think this approach has some credits.
Security is so much more then stopping the user at the door. There are always going to be 0-day exploits, which have no patches. The trick with security is mitigating your exposure. Getting root is not a successful hack, keeping it is. So what if someone rooted my box, if I can see it; I can deal with it. These latest big-profile comprises are actually good news because the attacks where not successful. It shows how well Linux can mitigate exposer, and how it layers it security. This is where Microsoft goes wrong with it's lastest methodology towards security. They think putting a firewall in place is all that you need, which is absolutely wrong.