After reading comments on this blog by supporters of that other OS and critics of GNU/Linux I was shocked (really, “How is this possible?” and “I don’t believe this is happening.” shocked…) to read some of the details of recently patched vulnerabilities in that other OS.
The matter is that one of the vulnerabilities allows privilege escalation for a local user. That’s just like in the movies where a guy logs in and steals the crown jewels… The matter is that deep in the heart of that other OS is a piece of code that deals with the layout of the keyboard, you know, “is it a US/UK/French keyboard and such?”. The software creates a “callback” and does not check the parameters properly. That is, the system will allow the user to have arbitrary code executed allowing anything to be done to the system.
See the problem? Users wanting to mess up IT to extend coffee-break, spy on the other user, open the blue-print to project Zulu-4, or divert information to the foreign power paying him handsomely, can do whatever they want. A spy-master could just provide the puppet a USB drive or a link with something to be clicked and do anything with the system.
M$ classifies this vulnerability with catastrophic possibilies “important”… and it occurs in just about every version of that other OS since XP, including 64bit and Itanium versions. Gasp. It doesn’t get much more important does it?
The sad thing from a global IT perspective is that the jokers at M$, having pushed crapware to the world suffer no consequences while putting the safety/security/livlihood of a billion people at risk. Where is the justice? The pawns who believe security is paramount at M$ are blind to the fact that to make this happen, M$ must have copied the same buggy code for a decade on everything they touched. No rewriting. No code-review. No examination of anything not uttered by the bosses who are all salesmen. Come on. It’s Computer Science 101. Check everything, because if anything can go wrong it will and in the worst possible way.
This is a sharp example of what I call bloat and spaghetti code. Callbacks for a keyboard layout? Get real. M$ deliberately chose to ignore security for the benefit of adding some useless feature so the salesmen could say the stuff was new and improved. It was neither new nor improved. It was old and worse than what they had in ancient days.
I recommend Debian GNU/Linux. It’s an operating system designed by paranoids for paranoids and it takes care of you and your data.
see National Vulnerability Database (NVD) National Vulnerability Database (CVE-2012-1893).
see National Vulnerability Database (NVD) National Vulnerability Database (CVE-2012-1890)
and, if you are not in tears already, you can read what M$ wrote about it at
Microsoft Security Bulletin MS12-047 – Important : Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2718523)
It reads like a weather report with a stalled high-pressure region overhead. No guilt/shame is expressed. No public execution of the miscreants who wrote this malware for the world. Fire them all. Use GNU/Linux.
17427
12750
206
3
2
23866 
11838 
11690 
4626 
4250 
1642 
198 
14 
2 
0 
0 
0 
Hollywood’s version of hackers (crackers) breaking into a computer:
Password: Tulip5 ACCESS DENIED
Password: Tulip6 ACCESS DENIED
Password: PASSWORD OVERRIDE Okay, you’re in.
Oh wait, that’s Microsoft.
Because Debian has never shipped a single privilege escalation:
http://www.debian.org/security/2012/dsa-2469
http://www.debian.org/security/2012/dsa-2450
http://www.debian.org/security/2011/dsa-2303
Well, at least Debian puts them all in one package and it’s only two or three in a year unlike that other OS which had them there for years in many of its products, all versions, all releases, all architectures.
None of those vulnerabilities affected my system:
So, while M$ nukes Earth with remotely exploitable catastrophes, Debian GNU/Linux causes a gentle breeze with a few narrow local vulnerabilities. Local users, I remind you, can always bring in an axe or throw things and are much more dangerous than a vulnerability like these in Debian. Granted, the Debian vulnerabilities are a cause for concern, but there is no reason to panic. That other OS on the other hand is a house afire. You should run away promptly.
IVAN I guess you cannot read and understand. All three you pulled only effect a particular sub form of Linux not your commonly used Debian Linux.
user mode linux effect windows in the form of anyone running colinux.
User mode Linux is Linux running in userspace inside another OS. This could be Linux this could be BSD this could be Windows.
Its a feature MS windows completely lacks. You cannot usermode run windows. Also its a interesting security test.
User mode Linux turns off all the hardware safe guard options. So in usermode kernel design has to stand on its own two feet. Lot more flaws are found in user mode Linux than any other Linux. Due to the fact here is nothing hiding the faults.
So really you are seeing a form of hardening.
Ivan puts on a brave show for Microsoft security. Oh wait, no, he didn’t defend Microsoft security at all, did he? No, he didn’t.
He attempted to point to another OS’s security transgression. That’s the way the Cult of Microsoft (and that’s what they are when they do that) deal with Microsoft’s nightmare security, they don’t. That’s because there is no defending it. Ain’t that right Ivan? Of course it is you weasel.
kozmcrae incompetent weasel. Because you better know what you are pointing at.
oiaohm wrote:
“Because you better know what you are pointing at.”
I am not as well versed as you and Robert are in the technicalities, for the most part. So I cannot address them as you can. There is no need for that though. You and Robert, and others, have that well covered,
In this case I’m pointing at the way the Cult of Microsoft try to defend Microsoft’s atrocious security. And that is by pointing to another OS’s apparent security transgression. That is their typical response and I, typically, will make note of it.
That is one of the main reasons why I post here, to point out the repetition in their comments. To make it clear that they are here to promote uncertainty about FLOSS.
They can bitch and moan all they want about “content”. There’s more than enough content to go around. There’s also more than enough lies, twisted logic, babel and deliberate, willful ignorance on their part.
How many times have you explained the same truth, statistic, numeric, or fact to the same nym? Different nyms? You should only have to do it once to the same person. I have seen the same thing explained to the same person many times and done so as if it was the first time. That goes on here day in and day out. Every day, just like Ground Hog Day, the same things are explained and presented as if to little children that forget everything they learned when they go to bed at night.
I will point out the repetition and try not to get dragged into it. So now you know, and they know once again, what my agenda is.
“Because you better know what you are pointing at.”
Was that what I was pointing at?
kozmcrae what I am getting at is Ivan is a incompetent weasel.
A competent weasel would have know the difference between User Mode Linux bugs and system core bugs and gave a list of links to the system core bugs.
It’s Computer Science 101… what I call bloat and spaghetti code. Callbacks for a keyboard layout?,/b>
I wonder, Mr. Pogson, have you ever taken CS101 anywhere? Using hooked procedures in your application to respond to system resource changes seems fairly fundamental. What would you do instead?
oops
Clarence Moon wrote, “Using hooked procedures in your application to respond to system resource changes seems fairly fundamental. What would you do instead?”
Huh? When is the last time you ever changed a keyboard layout? I have used the same Fujitsu keyboard for a decade now and the layout is the one used in Lose ’95. The OS handles that low-level stuff. It should be transparent to applications.
Apparently you are not in the application biz as an ISV, Mr. Pogson, else you would have a better answer to the question. An application has to adapt to a wide variety of as found conditions regarding system hardware configuration. Perhaps it will never change after it is first discovered, but you cannot ask a customer to do that much setup themselves just to get your application product to work correctly. That is one of the major problems with FLOSS programs, I understand.
Have you really used the same keyboard for 10 years? You are not much of a good customer for the struggling companies trying to make it in today’s PC market then. Give them a break. Buy a new keyboard.
Clarence Moon I have a few keyboards here that are 10 year old+.
Problem is replacing them is not cheap.
http://mechanicalkeyboards.com/shop/index.php?l=product_detail&p=28
Yes they are the 100+ dollars a pop keyboards. You need them for people who can type over 120 words per min. Your normal 20 dollar keyboards will not last out a week under that strain. Yes these 100 dollar+ ones last for a good 10 years+ being used daily for 120 word per min+ for at least 6 hours. You pay for quality you get quality basically.
Clarence Moon
“You are not much of a good customer for the struggling companies trying to make it in today’s PC market then.”
If they are depending on selling hardware they are doomed and they need to get use to the fact. A good keyboard is worth more than a small computer these days. If they start selling quality keyboards they will not sell many of those either.
PC market is in heading into hell as the mobile market takes out the causal home and business Internet user.
Clarence Moon
“An application has to adapt to a wide variety of as found conditions regarding system hardware configuration. Perhaps it will never change after it is first discovered, but you cannot ask a customer to do that much setup themselves just to get your application product to work correctly. That is one of the major problems with FLOSS programs, I understand.”
This is in fact even true for MS Office and other commercial programs. All software has ways that installation can go south. I have recently had to battle with a closed source firewall on windows that decided that it would not let Windows 7 access its shares even that it would let other XP machines work perfectly. This was a fully closed source setup. User had tried to set it up themselves and failed.
Yes I don’t just handle Linux stuff. Selling proper support is something that does not go away just because someone has a android phone or tablet. You will make more out of support work than hardware in future this is the reality.
The time of stock shelves with hardware sell the machines forget about them and make a profit is over for all the small businesses.