Kernel.org is Back

They’ve come back up with advice to upgrade security on developers’ machines to prevent a recurrence. They give detailed instructions for developers to use 4096-bit keys and not to use DSA. They have promised to issue a detailed report. That will be interesting.

see Kernel.org

SJVN and others give good advice on keeping GNU/Linux systems clean.

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology. Bookmark the permalink.

15 Responses to Kernel.org is Back

  1. oiaohm says:

    oldman modern day selinux is not half bad. Of course don’t touch the configuration of it with raw finger tips. Segatex is kinda a requirement.

    I do use Segatex and selinux quite a bit. Since I do use postgresql databases using selinux as well.

    With mod_selinux in apache and php-pecl-selinux. Selinux can reach kind of everywhere tracking role and user based secuirty.

    This is part of the problem selinux one point rule the system. All data access.

    Yes I use selinux daily. Most of the time I don’t even notice what its upto. selinux on services is about a min I recommend. Since services is one of your largest weaknesses with higher privilege.

    Integrated secuirty is the big thing. Selinux is only one of many layers of defence.

  2. oldman says:

    “Linux world is still many years ahead in addressing the secuirty issues. Yes that applications are exploitable is also why application should have more restrictions on what they can and cannot do.”

    Do you recommend selinux?

  3. uhhh, Auto-run, ANI? Remember those monstrosities? Relics of Lose 3.1… and still haunting us in the 21st century.

  4. oiaohm says:

    NT JERKFACE

    strcpy() there is another solution. It involves making compliers smarter. http://gcc.gnu.org/wiki/Mudflap_Pointer_Debugging Thing is this is a far more effective generic solution to the problem.

    Replacing few functions here and there is no where near as effective as complier implemented protections against overruns.

    You really need to read Ulrich Drepper full answer. His really really careful was referring to improving compliers to prevent buffer overflows. In fact the safer function replacement for strcpy was not in fact that safe it was depending on coder to pass it the right value. Ulrich Drepper basically was not falling for false secuirty promise.

    NT JERKFACE MS current offering do have flaws that are 10 year old that have been patched over quickly instead of being proper fixed.

    Ulrich Drepper did the right thing refusing to hack fix a problem.

    Ch there are still basic flaws that MS is still failing to react to. Including too many services running with high privilege. Means for Adobe and others to add constant running services in ways users cannot see.

    The lack of installed application accountability the the big bug bear left as well.

    There is a lot MS can do that will reduce the damage Adobe products can do.

    Ch and NT JERKFACE you have to both admit lacking some form of inbuilt tracking of what the user installed and what its depending on. So that threats can be located and cleaned up is still major out standing flaw.

    Linux world is still many years ahead in addressing the secuirty issues. Yes that applications are exploitable is also why application should have more restrictions on what they can and cannot do.

    Linux Secuirty Modules 2000 and before was started to attempt to address cases of nasty issues with adobe and the like.

  5. ch says:

    “That other OS was designed from the beginning to just work without regard to security.”
    True for MS-DOS and Win9x. Completely wrong for WinNT. And that article you linked to is a complete joke – that guy knows almost as little about Windows networking as you do.

    “M$ did not have native networking until 1994. Before that it was all third-party stuff.”
    I have been networking with MS stuff even before Win3.0 (“natively”). What you probably meant to write was “MS didn’t write their own TCP/IP stack for WfW until 1994”.

    The real problem was that for MS “networking” meant “corporate networks”, for which NT was more than good enough. But then all internet hell broke loose, and it took MS until 2004/2005 to fully grasp the implications and react. Yes, that was a looong time – too long. However, if you ever were to look at the here and now, you might notice that actual OS exploits are less of a problem than attacks directed against applications. *insert nasty look in the rough direction of Adobe*

  6. NT JERKFACE says:

    poogy sez:
    It’s not magic, just sound design. That other OS was designed from the beginning to just work without regard to security.

    After reading that article I have decided to never run other OS 98 again.

    That guy is a hack btw, it’s a joke that he brought up strcpy() when it was Ulrich Drepper of glibc who rejected deprecating it in favor of a safer replacement. Drepper’s solution is to be really really really careful, gee good plan there Drep. This isn’t a Windows vs Linux thing btw, the OpenBSD guys thought Drep was a nut as well.

    It also doesn’t make sense that he picked IE integration to be their worst decision, especially when that integration was mainly artificial which was shown at the trial that he claims to know about. Not shipping Pre-SP2 XP and 2k without a firewall was a much bigger mistake.

    He is trying to sound more technically informed than he actually is. Like a lot of Nix fans his understanding of Windows security is limited and largely based on the 9x series. But I don’t trust his understanding of Unix security either, it is deluded to believe that Unix hit some gold standard of security decades ago given how many improvements have been added.

    ohio sez:
    NT JERKFACE you have been hanging around open source imposters for too long. Failing to look close enough to see the Linux people are upset by particular things. So have valid reasons to be blaming Microsoft for incompetence.

    Hmmmmm well there are a lot posers in the tech world, that is true. MS certainly fumbled on security with their earlier browsers and operating systems but that attitude isn’t reflected in their current offerings. If someone wants to hold a grudge against MS then that is fine but I grow tired of the continued religious belief in Linux/Unix security and corresponding blind arrogance by the faithful.

  7. oiaohm says:

    NT JERKFACE

    I have some bad news for you its not the Linux people who blame windows and microsoft alone.
    “Windows server gets hacked: fault of Windows. ” Windows Admins use this excuse.

    Its accountability. Linux the buck stops with the system admin unless defect can be identified lower down.

    Anti-virus was not up to date Windows admin blames windows. System was not checked regularly Windows admin blames windows.

    That a virus exploiting a 12 month+ old flaw works either is that Microsoft has not patched it or the administrator has not applied patch. Most Windows viruses are not exploiting new flaws but old flaws that have not been fixed correctly or not even fixed at all by the 12 month mark after report. This is Microsoft fault.

    Android fault has been placed on Google for letting malware in their repositories. For users adding non trustworthy repositories. This is correct allocation of blame. The user is sometimes to blame for the mess they have got self into.

    So a user who under windows downloading illegal software should kinda expect to get burnt just as much as a Android user using illegal software from a untrusted repositories.

    Again its correct allocation of blame.

    Windows gets malware is also not exactly what the Linux guys hate. Its removing the malware. All Linux systems there is a process you can follow to remove any malware from the system. Same process will catch up with it all. And its not reinstalling the bugger. Windows lacks this. No central package management no list of what keys in registry owns/used by what application and so on. Basically malware removal under Windows is many times harder than it should be.

    How hard it is to remove Malware is Windows fault. Yes that users have a hard time removing Malware under windows is the issue. This is Microsoft fault as the distributor of Windows. There are Linux distrobutions that are harder but not as hard as windows to clean up.

    Repositories also gives users somewhere to go to reduce the odds of drive by malware. MS is looking at at long last adding that feature in Windows 8. Only 15 years late really.

    NT JERKFACE you have been hanging around open source imposters for too long. Failing to look close enough to see the Linux people are upset by particular things. So have valid reasons to be blaming Microsoft for incompetence.

    Contrarian the markets Linux has been interested in has listened. Linux has taken most of the developer rich markets first. The desktop market is one of the smallest number of developers out there.

    So desktop is really last on Linux shopping list of markets they want. Super computers was number 1 since that is the highest concentration of developers to number of machines. Next highest is embedded. Next is Phones. Next is small business servers and finally you get to Desktop.

    Metrics you use of dollars going to one company don’t apply in the Open source world. Contrarian that is the big issue Open Source is insanely hard to value how much is really being spent on it. Since the money is being spent by many different companies and most of them don’t have to tell you how much they have spent.

    Yes the great Linux magic void of numbers.

  8. Contrarian says:

    If you think about it, #pogson, you can see that the history of Microsoft OS has just been having the right stuff at the right time. The history of Linux, OTOH, has been to smugly assert some form of superiority to a world that has never listened.

    If nothing else, Microsoft has made the world care about desktop and server OS. Through tireless public education via Windows promotions, Windsows has become the lead OS for servers and desktops, taking almost 80% of the overall sales for these products.

  9. It’s not magic, just sound design. That other OS was designed from the beginning to just work without regard to security.

    OTOH, see The Best and Most Secure Windows OS of All

    “Windows 3.x, 95, 98 and ME carried on the tradition of MSDOS in a nice GUI package, with little attention paid to security since the only way your computer could get “pwned” in the beginning was if you installed a trojaned application, or inserted a disk that had a virus already on it. “

    Of course, GNU/Linux knew about networking from day one.
    * INET An implementation of the TCP/IP protocol suite for the LINUX
    * operating system. INET is implemented using the BSD Socket
    * interface as the means of communication with the user level.
    *
    * Ethernet-type device handling.
    *
    * Version: @(#)eth.c 1.0.7 05/25/93

    “On September 21st 1992 in a post to Usenet, Linus informed of three important features being added. Support for the sound blaster card, support for accessing cdroms and TCP/IP networking (which of course is needed for remote X), which would be in the next release in about a weeks time.

    Version 0.98 was released on September 29th 1992. On the 18th October 1992 version 0.98.2 was released, this included some TCP/IP patches, but this feature was still marked experimental. Of course Linux’s TCP/IP networking has a history all to its own….
    Version 0.99 came out on December 13th 1992. One of the main holdups to 1.0 was in getting the networking code fully debugged which was then being worked on by Alan Cox. “

    see http://digital-domain.net/lug/unix-linux-history.html

    M$ did not have native networking until 1994. Before that it was all third-party stuff.

  10. NT JERKFACE says:

    No Phenom is correct.

    According to Linux fans:

    Android users get malware: fault of users.

    Windows users get malware: fault of Windows.

    Linux server gets hacked: fault of admin.

    Windows server gets hacked: fault of Windows.

    They still cling to some weird belief that the Linux kernel confers magical security powers.

    Even stranger is their belief in the security prowess of lamp stacks when the ‘p’ as in php should stand for pleasing hackers perpetually.

  11. oiaohm says:

    Phenom the issue is most people with an android phone or One of Motorola and others Linux phones asked them of they use Linux they would say no.

    This is the problem a lot of people use Linux. Just they are not aware of it.

    Yes the quality of the Linux kernel is just as important to make those mobile phones secure as a desktop.

    So the Quality of Linux is important to them but they are not aware of it. Its like the one Linux worm that was infecting routers/adsl modems. Lucky ISPs cooperated cleaning it up.

    Yes people are not aware of really what they are depending on.

    Linux targeted where the developers were first. Embed and servers. Linux is now at the point to keep on growing it has to start targeting desktop seriously. You don’t have to look past Mesa to see how the desktop was not taken seriously for a long time.

  12. Phenom says:

    Quote: An honest person, presented with a lump of shit and a can of shineola will have to tell you that shit stinks

    Indeed. People from all over the world were presented with a few OSes to choose from and 90%+ told that Linux stinks.

  13. oiaohm says:

    Phenom point to remember most of the steps SJVN was describing is the Linux equal to anti-virus scanning the core of the OS.

    Windows user who gets infected who is not running an anti-virus is user fault too right Phenom.

    All OS have a processes you are meant todo to remain some what secure. Linux checking installed package files against check sums is one of those things.

  14. twitter says:

    What you say is neither true nor fair, Phenom. Until the report comes out, we don’t know what happened and the people writing the report might not have figured it out. In general Windows lets users down and gnu/linux does not. In each case, Pogson fairly and accurately describes the problems. An honest person, presented with a lump of shit and a can of shineola will have to tell you that shit stinks.

  15. Phenom says:

    According to SJVN, it is users’ fault if you get viruses.

    Strangely how with the “other OS” it is always the OS, but never the user; with Linux it is always the user, never the OS itself. Double standards, guys.

Leave a Reply