>The clear consensus at the Linux Security Summit was that squashing bugs is a losing strategy. Many deployed devices running Linux will never receive security updates, and patching a security hole in the upstream kernel does nothing to ensure the safety of an IoT device that could be in use for a decade and may forever be ignored by the manufacturer. >Even devices that do receive patches may see long gaps between public bug discovery and a patch being applied. Cook gave the example of an Internet-connected door lock that an end-user might well use for 15 years or more. Such devices are likely to receive sporadic security patches, if at all.
>Worse, the average lifetime of a critical security bug in the Linux kernel, from introduction during a code commit to public discovery and having a patch issued, averages three years or more. According to Cook’s analysis, critical and high-severity security bugs in the upstream kernel have lifespans from 3.3 to 6.4 years between commit and discovery.
Linux BTFO. Torvalds on SUICIDE WATCH. Stallman high on foot cheese as usual dreaming about HURD.
>iot >Not connecting to the internet and updates itself via secure channel
Ryan Gonzalez
>manufacturers don't patch security issues
This isn't news
Noah Russell
Most IoT stuff only uses Bluetooth
Hunter Lopez
reading further, it says the majority of kernel bugs are because of drivers, and of those the majority of the buggy drivers are third party
Andrew Carter
this isn't for the desktop/server market you fuck, this concerns the internet of things meme and embedded systems that are never fucking patched by the manufacturer, and the end user probably wouldn't patch it themselves anyways
Kevin Green
Who the hell is connecting millions of devices to the web with absolutely no plan to update them? What the fuck
Benjamin Richardson
Phones.
Brody Martinez
Not an argument. The GNU/Linux desktops all use the Linux kernel and suffer from the same bugs which take years to be found (despite having all these eyes looking at the code) by people that want to fix them.
See: >critical and high-severity security bugs in the upstream kernel have lifespans from 3.3 to 6.4 years between commit and discovery.
All up in your GNU/Linux desktops and servers. The sooner you stop lying to yourself and face reality the faster this situation can improve.
Owen Campbell
All software is vulnerable as fuck when connected to the internet. This is just anti Linux propaganda.
Carson Phillips
Android Apple and Windows all do a good job pushing updates to the phones. This IoT thing is just exposing every day items as an attack surface on the web.
Jayden Barnes
APOLOGIZE
Lincoln Roberts
I'm afraid I have some bad news for you.
Cameron Diaz
>critical and high-severity security bugs in the upstream kernel have lifespans from 3.3 to 6.4 years between commit and discovery This is why there ought to be LTS kernel versions that span more than a decade
Elijah Scott
>device connected to the internet can't update over the internet.
Bentley Price
will formally proven system become popular now?
William Parker
Would you say its better than not releasing updates for there products, phones arent great but at least they do regularly update unlike iot devices that have no regular updates to speak of.
Brody Murphy
this arguments also fits for every other system, probably even worse
just look at all the embedded devices running windows 2000 or xp
Jace Rodriguez
>Linus "fuck you if you break my user-space" Torvalds doesn't give a fuck about security if it breaks the kernel No shit, tell me something new
>Lazy companies don't want to perform their responsibilities and duties for maintaining a product/service they sell No shit, they dint want to see your fucking face revert again unless you're buying something.
Tyler Robinson
certainly not better, the article is basically: vendors are shit and never update their systems, or set them up badly in the first place. No Operating System can be secure if the vendor set up "1234" as the default password.
Mason Gomez
yeah, and the windows source code has less bugs...kek also, finding these bugs IS objectively very hard, it's only really relevant to the NSA and other agencys with big budgets
Aiden Lee
he needs to get on twitter
Levi Walker
>objectively very hard Usually linux secholes are cause crash, but there some privilege escalation too, but they aren't obvious to play out.
James Fisher
>fuck you if you break my user-space windows is no different[1][2], any successfull general-purpose low-level software or hardware needs great backwards compatibility.
Good goyim, the money has been deposited into your account.
Daniel Sanders
That's a problem with IoT not the Linux kernel
Gabriel Harris
>That's a problem with IoT not the Linux kernel Yeah, serious critical security bugs in the Linux kernel that go "unfound" and unfixed for 3-6 years (on average) across multiple stable and LTS releases are totally not the fault of Linux. It must be someone elses fault! It just has to be!
Lmfao. How many shekels is Torvalds paying you to post this? Judging by the low quality of damage control ITT I would assume you're doing it >for FREE
Joseph Thomas
s/Linux/Windows
Sebastian Gomez
Another attack article on Linux's Security, unsurprising Whatever it takes for the immoral corporation friendly media to push through the notion that Linux is insecure
Lucas Jackson
The whole article is about what was presented at the Linux Security Summit 2016. What are you even suggesting? That Linux kernel developers of being paid off by the kike boogeyman to make Linux look bad so le ebil jew media report on it?
Jonathan Hernandez
windows and os x are naturally doing worse
Leo Phillips
This applies to all applications of software. Getting rid of one kernel doesn't fix that shit
Jose Jenkins
Linux had security through obscurity in the 90s. It was mostly used on professional servers and only state actors or serious badasses would be hacking them, mostly just for the hacker cred and epenis and not for any real malicious purpose. Nowadays Linux is on every phone, lots of tablets, IoT devices, and even making traction on the desktop. It's being actively targetted for inclusion in botnets and by assholes looking to steal personal information. Linux definitely needs some security work done, but really, the bigger problem is PEOPLE, not Linux. No matter how secure you TRY to make it, if someone does something retarded, it won't matter.
TL;DR-PEBKAC
My recommendation is to *gasp* fork Linux and make a locked the fuck down version for morons and IoT shit that is hardened against most attack vectors and doesn't include unneeded shit.
Grayson Wood
Doesn't help if the vendor doesn't publish updates.
Justin Green
But Linux is the most insecure OS out there.
I've worked for Cigital and if we could single out what platform we found the most holes in, it would hands down be Linux.
Linux apologists fool themselves by comparing figures between the Linux kernel and the entire Windows environment, but that's deceiving: there also Linux-specific vulnerabilities in glibc, systemd, OpenSSL, Apache, MySQL, nginx, bash, etc.
Not to mention Linux lacks the most basic security mitigations unless you pay for grsec, and most distributions have awful defaults.
To make matters worst, Linux application developers seem to have a false sense of security because they're developing on Linux. They seem to believe they're immune to breaches and they do not comprehend the basics of infiltration, so they ignore unpatched buffer overflows and unresolved compiler warnings, and they do not pay attention to the OWASP Top 10 when developing web apps (hands down the thing Linux is used the most for out there is web, so this is extremely relevant). Developers on other platforms are more security aware.
Kayden Mitchell
>My recommendation is to *gasp* fork Linux
Probably better at this point to throw it in to the trash and just start over with something new. There is no fixing the stupid inside the linux kernel.
Matthew Murphy
This argument is so general that they might as well have applied it against the Internet of Things or software in general. Their conclusion that Linux is not presently suitable for IoT is correct but they are wrong in thinking it ever could be.
Devices will be abandoned and never updated, especially if they use Linux. IoT is feasible with a walled-garden approach where the individual unit cost is so high that long-term software maintenance is profitable. Open-source Linux cannot be used in this environment.
Nathaniel Green
>relying on a device connected to the internet to protect your home
Seriously, nigga?
Grayson Taylor
I wouldn't say Linux is the least secure system, but no one who works in the security industry falls for the "Linux = more security than Windows" meme.
Security professionals worth their salt know "security as a product" is one hell of a pitfall.
Liam Garcia
Can someone explain to me how an attacker might use it's bugs?
Considering a IoT device that the manufacturer actually took time to do some basic sysadmin shit like creating an unpriveleged account changing the root passwiord to something dictionary-attack proof. And some good software development techiniques like sanitizing user input. I know most devices out there does not care about this yet.
Owen Morales
>Can someone explain to me how an attacker might use it's bugs?
Simply put: They cannot. This is all just overblown bullshit to make Linux look bad in the public eye.
Samuel Reyes
Read pic related.
As a rule, every bug can be exploited.
Hunter Morales
Shall we see the rise of the glorious HURD then?
Matthew Bennett
You're a retard
There is a reason no one uses windows for security.
Meanwhile FreeBSD has had no remote holes in its flat distribution in years.
Stinky Linux faggot BTFO forever
Owen Lopez
>Linux's vulnerabilities broken down and Microsoft's stacked together Thanks for proving me right.
>There is a reason no one uses windows for security. I work in the network security industry and that is simply not true at all. I have to admit Windows wouldn't be my first choice for anything, security-wise or not, but like this guy said, security is not a product, it's a process. Any platform can be bulletproof or literally a Swiss cheese.
Tyler Rogers
>freetard 'community' developed shit
Lol. It never occurred to me how unsafe Linux was.
Brandon Richardson
[citation needed faggot]
David Allen
Can you circlejump a buffer overflow in quake?
Adam Phillips
...
Benjamin Adams
HAHAHAAAHAHHAH BTFO LINUX
Tyler Clark
>Linux kernel security needs a rethink I do think NT needs a security rethink first. Who the fuck thought rendering fonts in kernel space was a great idea?
Luke Phillips
>Internet-connected door lock people using that shit deserve what they get
Colton Torres
>2016 >Linux kernel alone has twice more distict vulns than Windows XP >Windows >Fucking >XP
I should have known those freetards were lying about open source being secure because "muh freedumbs" and "muh many eyes over the code" bullshit.
Kevin Diaz
Muh 18 month old android ain't getting any more updates. Thanks, Torvalds.
Jaxson Allen
Security holes, ya dummy
Isaac Allen
This is literally a problem with hardware manufacturers, not Linux. The fact that Linux developers are looking into an issue that is not technically their problem is quite admirable imo.
Carter Sanders
>Not an argument Yeah, well "embedded device vendors don't make updates available" isn't exactly an argument for "Linux btfo" either
Elijah Morales
This. Security is not a product,you can't fucking purchase a secure system or get one that just werks because security is a human issue. Bugs are created by flaws in logic and pricess when wruting code, so you have to be proactive about updating your system.
I don't use linux because it's inherently more secure, i use linux because the platform makes it easier for me to maintain my system.
Alexander Jones
Oh god this man is so fucking BASED. I wish i could install openbsd, but it doesn't support trim for ssd.
Oliver Butler
Nothing is safe. If you think safety exists you're delusional. You create your own security, you maintain your own system. Windows and OSX make it almost impossible to maintain your own system, but it's easy with linux and that's why it's superior.
Christian Wood
I imagine it's a simplified abstraction of the actual vector that might occur. For instance, an infection in the 10-year-old IoT refrigerator spreads to the NFC-enabled door lock.
Jordan Brown
Not the previous user but I'm sure you don't get the point. This doesn't obviously apply to Linux only: I wonder how many security bugs are still to be found in closed source operating systems like Windows and OS X, just you're not bitching about them because MS and Apple won't give public disclosure of how long a bug has been there and how much it took them to confirm it and fix it.
I honestly don't see a big problem here because I don't want my fucking fridge to be connected to the internet. We've lived offline for ages and yet we managed to prosper and evolve. I don't see how my internet enabled fridge will make my life easier desu.
Still, companies who develop IoT gadgets running Linux, have access to the kernel source code and can go ahead bug hunting on their own and then feed the results back to the kernel maintainers.
Christopher Rodriguez
>Linux developers are looking into an issue that is not technically their problem
>the average lifetime of a critical security bug in the Linux kernel, from introduction during a code commit to public discovery and having a patch issued, averages three years or more. According to Cook’s analysis, critical and high-severity security bugs in the upstream kernel have lifespans from 3.3 to 6.4 years between commit and discovery.
>not technically their problem
Lol, just lol. Lindrones straight up cannot face reality.
Adrian Scott
Daily reminder that X11 has no privilege separation on Linux, therefore it can bring down the whole system (and often does).
Jacob Lopez
What Windows fixes?
Hudson Myers
On what planet? All of your devices that aren't a PC
Ayden Morales
>Android >pushing updates to the phones
Nathaniel Campbell
>Oh god this man is so fucking BSD
Camden Butler
???
Daily reminder that X11 is not a kernel
5/10 made me reply
Ethan Cruz
Android is not a company. Nor do companies push updates, most normies don't even want to update their OS version, and those that do probably won't be able to after 6 months which is the average time companies send updates for each device.
-Sent from Android version 4.4.2
Mason Hill
That's the problem, without privilege separation you don't get any of the security benefits of having GUI code outside ring 0 but all of the performance hits. Linux GUI has all the security flaws Windows' does, but Windows' is orders of magnitude faster. It's the stupidest trade-off.
Cameron Morris
> internet connected door lock > not secure
Everything I thought I knew turned out to be a lie.
Is this just for the original quake 1/2 exeutables? Are source ports still affected by this?
Jose Ward
Mostly original q2, it was a clusterfuck.
Cameron Rodriguez
TBQH IoT security in general is a farce. There's just no way to leave anything in what is effectively public space with any kind of static defense and believe it won't be breached over a relatively short period of time so long as there is reason to breach it.
Anyone propounding the idea that there's a solution to this that doesn't involve being able to update these devices is a charlatan selling snake oil. Netsec has been screaming this since the IoT meme started and professional huckster kikes like Zuckerfag have ignored that in order to promise good stupid goyim even more asinine hedonism.
Any widespread rollout of this kind of shit should be well and dually fucked over and hacked to bits to serve as a warning to the public about how dumb it is. Hopefully the hook nosed fucking assholes pushing it lose a lot of their precious shekels in the process.
Gabriel Roberts
Just grab the kernel from OpenBSD ffs.
James Butler
>talks about "stacking down" windows 10 as an OS vs linux as a kernel >post numbers showing stacked down all versions of Debian/Ubuntu vs Windows 10 Isn't this hypocrisy? Also Linux kernel has stacked versions too, some are unmaintained.
Also i would like to point out that Debian security team manages security across all official packages available in the repos. This is a lot more software than for example Ubuntu, which doesn't even produce security updates for VLC. If you think placing Windows vs Linux kernel is unfair ,you would have to put everything ever listed as Windows 10 supported + Windows 10 as an OS vs whole Debian repos, or something stupid like that.
What I'm trying to say, you cannot really trust CVEdetails statistics to compare security on two OSes. You can however laugh at bugs with high score not being fixed for years or affecting new releases since a very old release. I do not know if cvedetails still lists vulnerabilities with existing patches though but it seems so.
Isaiah Kelly
I hope they will. start with elm, then move to haskell, rust etc.
Anthony Wood
>Isn't this hypocrisy? Hypocrisy is when one doesn't do as one speaks, not when somebody else doesn't.
Brody Clark
You'd imagine wrong. A local isp is advertising a home automation service to bundle with their other shit and one of the "features" is that you can open the door for guests while you're not home. I wonder how an internet service provider provides that service.
Honestly security is irrelevant in these applications. The people installing this shit have homes with with windows and leave their shit unprotected. A thief that is willing to break and enter is going to break the fucking window not figure out how how to open the lock.
The type of person who buys a toaster with a camera and microphone doesn't care if it gets hacked. He already takes photos of himself and posts them on facebook. He already has his phone with him to constantly report his position and activities to facebook. All he bought the toaster for was so he doesn't have to manually tell the world what he ate for breakfast. The security vulnerability here is that someone could burn his toast.
Cameron Diaz
Do you realise what IoT stands for?
Robert Murphy
>According to Cook’s analysis, critical and high-severity security bugs in the upstream kernel have lifespans from 3.3 to 6.4 years between commit and discovery. Could someone provide some examples.I've been using Linux for 7+years and going solely off memory, I can't think of anything that hasn't been patched almost immediately after discovery.
Lincoln Morris
well yeah you talked about stacking the Microsoft vulnerabilities vs the Linux kernel, so tell me what you think about vulnerabilities in Windows 10 vs Ubuntu 16.04 , both include the kernel and basic software installed with the OS. I can even forgive you that Ubuntu includes shitloads of packages not installed by defaults.
You can achieve best comparison pleasure looking the number of 9+ score vulnerabilities. Bonus points for Winddows 10 CVE's affecting Windows Vista or older.
But seriously now, why do people's dicks get hard for bashing software they don't use. Can't we all just agree that using OSX is gay and stop those pointless threads?
Liam Davis
Well, you talked about hypocrisy, so tell me what you think about saying you can't really trust CVEdetails and then keep spamming that shit down my throat.
Benjamin Baker
>systems that dont get updated have security flaws
Literally what kernel or system is this NOT true for??
Tyler Peterson
Yes i told you how it is not a good way to compare shit because it stacks multiple versions of Linux distros into one ,while secluding windows versions. Also i pointed out twice now, that Linux distros security teams usually provide CVEs patches for software not being the ones default installed. You told that one guy that stacking microsoft vs linux kernel proves your point, explain how in the light of Windows 10 vs Ubuntu 16.04
Cameron Walker
>security patches don't fix unpatched systems THIS JUST IN!!!
Zachary Young
Don't bother feeding the troll. These are the exact kind of Jewish tricks stallmanites use all the time, do not fall in to the trap of giving them attention.
Easton Gomez
DELETE THIS WINKEK
Brandon Foster
>systems that aren't updated have security holes Why is this being touted as a Linux problem?
Benjamin Allen
>Why is this being touted as a Linux problem?
>the average lifetime of a critical security bug in the Linux kernel, from introduction during a code commit to public discovery and having a patch issued, averages three years or more. According to Cook’s analysis, critical and high-severity security bugs in the upstream kernel have lifespans from 3.3 to 6.4 years between commit and discovery.
>Why is this being touted as a Linux problem?
I have no idea...
Caleb Stewart
he probably thinks its asinine as fuck
Robert Sanchez
>yes goy, some freetard is giving you comparable numbers , do not listen! Don't forget to buy the new, secure Windows 10! With anniversary updates you it will be yours forever! The free software foundation is transphobic and an enemy of your freedom!
Sebastian Fisher
ITT: Linux shills ignore the existence of everything other than IoT devices because it's the only way they can try to save face.
Where are all the >muh server marketshare >muh smartphone marketshare >muh supercompootah marketshare now? I'll tell you where. Fucking suicide watch.
Camden Scott
FOR THE ONE MILLIONTH TIME: BECAUSE LINUX HAS NO GODDAMN MITIGATIONS!
Why do you think OpenBSD's default install almost never has any remotely exploitable vulns, even without any updates? BECAUSE MITIGATIONS!
Brody Wood
>Fucking suicide watch. Can you blame them? 25 years of hard work down the drain because they cared more about hating Windows than actually building something secure that could last the test of time. The downside is that unlike MS, Apple, etc, when Linux inevitably falls it has nothing to help it back up. Game over.
Noah Perry
With Open Source Software, you learn about vulns at public security summits. With Windows, you learn about them after some Russian 12 year old from China who weighs 400 pounds hacks you from his mattress with 0-days that you can't mitigate yourself.
Matthew Lopez
are the gripes of that guy warranted? pfsense is a popular firewall after all
Asher Bell
>a list of things that actually get security updates Looks like someone skipped their English classes. Bad Pajeet!
Brandon Howard
How is that different from any other kernel?
Oh, its different because on other ones you can't even identify vulnerabilities as easily since it's closed. Eat shit.
Henry Garcia
Does it make understanding people easier for you to stereotype them into black and white labels?
What was the last commit you made to an open source project?
Evan Long
Because nobody uses it.
Oliver Cruz
>How is that different from any other kernel? It's not, which is why it makes no sense that Linux users are so desperate to lie and try cover it up so badly. What else is there going on which makes them so desperate to hide the truth?
Really makes me think to be honest.
Luke Turner
Linux is hobbyist tier shit
It's just a joke that get worse every year
Wyatt Gonzalez
are you trying to tell us that server administrators and supercomputer administrators do not update the software at all? I can agree on smartphone marketshare though, this shit is plain retarded - make a phone, promise updates, updates end after a year tops, blame Torvalds for not fixing your fully blobbed version of 2.6 Linux kernel. Looks legit to me! Meanwhile I'm using my end-of-life Nokia Belle symbian phone.
Xavier Gutierrez
You think that's a Linux specific problem?
Reminder that Iran's nuclear program got stuffed because of Stuxnet which exploited several privelege escalating 0-day holes in Windows which were also years old at that point.
Leo Fisher
He has an ego, but he's right. FreeBSD still didn't have ASLR until VERY recently, and even Windows has had it since at least XP or Vista.
Brandon Myers
this also begs the following question: why is there no pfsense equivalent for openbsd? they have the newest version of pf since they're developing it, too.
Jeremiah Flores
Typical Linux user blaming the user on a flaw that is clearly caused by the OS
Cameron Gomez
>This is why there ought to be LTS kernel versions that span more than a decade They still need updates
Thomas Long
>are the gripes of that guy (You) warranted? Yes but the video is 3 years old now, FreebSD has made quite some progress (especially in v11) and Linux distros are doing a bit better than when the video was made.
Still; OpenBSD, Windows and OSX still come on top by a long shot. OpenBSD out of drive for technology and the other two because of paying customers.
XP was the biggest sec nightmare before SP3. I don't want to know how much money MS started throwing at security development in the XP years, if they hadn't though they would have literally died.
Jayden Sanchez
>Not to mention Linux lacks the most basic security mitigations unless you pay for grsec heh Really shows how much you actually knew at your job
Hunter Wilson
Linux systems running X11 are not mission critical systems (or shouldn't be) and generally not run on IoT/embedded systems (or shouldn't be due to weight). And any user of X11 is able to easily update/reinstall their system if security and stability concerns them.
Colton Nguyen
>vendors are shit and >vendors set up how is this blaming the user? Why would anybody blame the user that his Samsung Galaxy Trend or some other shit has no security updates from the manufacturer for at least two years now? Except maybe jews because the user should have bought a new phone in this time and send the old phone to africa so children can scrape gold from it.
Samuel Miller
Linux supports billions more devices than Windows. And it's still more secure
Isaac Ortiz
Nah it's just there's too many bugs and nobody fixing them
Linux isn't ready for primetime yet.
Kayden Baker
X11 solely as a desktop system wasn't the plan. Distributed computing was a main feature that required compromises to be made.
Using X11 just as a multimedia desktop and complaining about performance in this regard is like using a microwave only as a paper weight and bitching about how unwieldy it is to move around your desk.
Brody Edwards
>Nah it's just there's too many bugs and nobody fixing them sounds like a perfect description of windows to me
Brandon Powell
>tfw only reason to use X in 2016 is to use a linux distro on a desktop computer, and X is not suited for the task Wayland on NVIDIA drivers when?
Gabriel Garcia
Even if Linux developers found and patched all security vulnerabilities within seconds it still wouldn't matter to people who never update.
Jace Rodriguez
all those decices use default logins and and passwords, that's how.
Shitty DVRs and webcams are being exploited because Linux is insecure
Connor Powell
Yeah, except OpenBSD can do it WITH privilege separation. It has been able to for almost a decade now.
Linux is just very out-of-date security-features-wise.
Asher Allen
ITT: Board that had generals with guides on how to disable Windows 10 Updates, or use Vista in 2016 instead is telling freetards that their old, unmaintained kernel versions on embedded devices are insecure >:^)
Parker Rogers
>int the year of 2010+6 >not using custom, hardened RTOS for your IoT projects seriosly.
Robert Thomas
>It's Linux fault that normies don't change default passwords
Gabriel Collins
>tfw only reason to use X in 2016 is to use a linux distro on a desktop computer, and X is not suited for the task
Been using Linux ~20 years. If I use a desktop its not for multimedia. Windows and OSX are desktop Multimedia OSes.
Gavin Reed
>Cook gave the example of an Internet-connected door lock that an end-user might well use for 15 years or more. We all know regular doors are fool proof, pic related.
Jordan Adams
I always thought that using Linux for multimedia is fine. Well with that one exception of DRMed DVDs but it caught me off guard since i normally do not play videos from DVDs.
Hunter Jackson
>FOR THE ONE MILLIONTH TIME: BECAUSE LINUX HAS NO GODDAMN MITIGATIONS! what is ASLR?
btw, sage goes in all fields. this troll thread is retarded
Mason Reyes
>Why do you think OpenBSD's default install almost never has any remotely exploitable vulns, even without any updates? BECAUSE MITIGATIONS! cvedetails.com/vulnerability-list/vendor_id-97/Openbsd.html also btw, the "solution" (if it can be called as such) to this already exists, and comes from the same people that created ASLR: grsecurity
Joshua Ortiz
whose fault it is then? it's a software design flaw.
Sebastian Powell
That's the problem
It's not good enough
Grayson Roberts
windows isn't an IoT platform
Logan Reyes
tell that to microsoft
Jose Cook
>Linux has massive security issues >T-troll thread!
k buddy
Christopher Morales
Let me know when millions of chinese devices use embedded windows then
MS can say whatever they want
Kevin Ward
>>linux has no mitigations!!11 >ASLR >>hurr durr!! do you even know a thing or two about security?
well, they are trying hard to push for devs to use their shit
Christian Johnson
Linux Shill Defense Bridge is out in force tonight.
But OP's whole post is that current version fixes don't matter since most devices won't be updated.
This is apparently a Linux-unique problem.
Daniel Thompson
>Runs out of argument >lol shill XDDD Typical winbabby. Fuck off
Wyatt Carter
let me get that straight , so linux and bsd is insecure because no one will install updates, and that somehow does not apply to windows (if still there is no one to install updates)?
Ian Brown
>This is apparently a Linux-unique problem. Well there you go. BSD is fine then.
Charles Young
Apparently.
Elijah Roberts
>insecure because no one will install updates >that somehow does not apply to windows (if still there is no one to install updates)? the OP is implying that this is a linux-only problem well, what do you think about the topic? what about the OP?
Daniel Brown
There's also the fact that Theo complains that no one ever gives money to them, this changed A LOT.
They actually have some level of corporate backing every year now.
Ethan Bennett
Blame freedesktop for not accepting their privsep patches upstream, I guess.
Connor Ross
Yes it is, Windows can enforce password policy.
Josiah Ramirez
>what is ASLR? something that's mostly turned off and not enforced?
Aaron Perez
And?
Sebastian Davis
>something that's mostly turned off and not enforced? hahaha, what the hell? sure thing, m8... lol
Nathaniel Lee
>not updating your system doesn't install security updates wew
Levi Baker
wow you're underage
Hunter Reyes
>what do you think of the topic it's ridden with shills.
-any sufficiently big codebase has critical bugs* -Both Windows, Linux and BSD are certainly big enough to have critical Bugs -therefore all of them have critical security bugs. Over time, these security bugs get discovered, and some of them get publicized, usually after a fix is out. Now, if software doesn't get updated, then i can simply use this several years old bug to take control of your system. This obviously applies to any OS. Shills in this thread are trying to paint this as something linux-specific, rather than a general issue.
Christopher Foster
What yesterday Linux was one of the safest kernels around and now suddenly it's full of security holes and shit?
Oh well, hopefully it will shut up the retarded aspect of the community...
Liam Lopez
>The security bugs lie in the firmware binary blobs, says the FSF >The security bugs lie in the kernel, says the mainstream
Which one do I believe
Cameron Perry
Android- protecting the kernel.pdf
Landon Evans
Same question Can i apply them?
Andrew Jenkins
>sp2 ftfy
Angel Bennett
>one reason I refuse to bother with the whole security circus is that I think it glorifies—and thus encourages—the wrong behavior. It makes 'heroes' out of security people, as if the people who don't just fix normal bugs aren't as important. In fact, all the boring normal bugs are way more important, just because there's a lot more of them.
>I think the OpenBSD crowd is a bunch of masturbating monkeys, in that they make such a big deal about concentrating on security to the point where they pretty much admit that nothing else matters to them.
fucking lel
William Perez
I don't understand how this has anything to do with Loonix.
If you don't upgrade your software this is basically what you can expect across the board.
Elijah Anderson
And vendors that don't care to patch their modified, patched versions of Linux and distributions, e.g. chinese cctv boxes
Owen Anderson
>lifetime of critical bug averages 3 years or more
This is the major problem
Colton Hill
its describing the problem of unfound, unfixed bugs that may include zde's.
but tl;dr here is (and this is said in the article) most of these bugs are 3rd party kernel drivers. And the people that do linux are getting very serious about security.
Jack Gomez
Technically, you could make the problem go away by using a microkernel so that bugs in device drivers and plenty of other kernel modules are not security issues.
Michael Peterson
every kernel starts as a microkernel. every successful kernel is not a microkernel. kernels introduce more functionality over time (like device drivers) because it improves performance
unfortunately whispering microkernel on its own does not provide a real world solution.
Brody Price
I am not providing solution. I am saying that technically the path to solution is known, it's just that no one successfully walked it yet - as a counter-argument to your statement that there's no solution possible.
Also Linux quite clearly did not start as a microkernel. You you even know what microkernel is?
Aiden Rodriguez
osx was built on something that was built on something that was built on mach. Clearly no longer a microkernel
clearly the microkernel line has been walked, its a novelty and an academic plaything but there is no way to make it competitively performant, there is too much overhead to put device drivers in userland.
This is why windows migrated the windows graphics component INTO (not out of) the kernel years ago, and why we have things like .tiff images achieving privilege escalation.
And I never said there is no solution, I said microkernels were not, and did not offer my own. I think that the problem is pretty clear. If most bugs are coming from 3rd parties (read private parties), the solution has to be to push free further into industry.
if these companies want to be in kernel space they should be releasing fully documented chips and APIs and allowing kernel devs to write the software.
Brody Perry
>every kernel starts as a microkernel. Better choose your words carefully next time nigguh.
Anyway, performance is not everything. Not everyone, given choice of speed vs security will choose latter. Moreover, circumstances change. If on today's hardware the performance of a microkernel may not be acceptable, it could be on tomorrow's.
Noah Hernandez
>Iphone Os
Where did you get this list?
Noah Sanders
The overhead of putting something in userland is acceptable when the number of kernel api calls is low.
for something like a nic, I bet the number of api calls that the driver makes is probably unreasonable to put in userland, especially for a webserver. same would go for display drivers for a graphics workstation etc...
Projects like OpenBSD develop their own drivers (not necessarily by choice), and although I dont have the statistics I would bet driver bugs are relatively less common.
The reasonable solution must be pushing for publicly documented chips and api's. The linux foundation has the clout to do it already.
Ian Wilson
>every kernel starts as a microkernel. user...
Elijah Moore
>Even if Linux developers found and patched all security vulnerabilities within seconds it still wouldn't matter to people who never update. So your argument is that you don't need to fix critical errors because people don't all instantly update?
Gee I wonder if that's because updating breaks everything and introduces even more critical flaws.
Juan Walker
So you ignore the post I wrote about performance not being everything and proceed to write a wall of text elaborating that performance, is, indeed, everything by listing some examples where performance seems to be important. Nice.
Tyler Morgan
this is literally >people die when they're killed tier
Caleb Thompson
I don't care. I'm still going to run the superior GNU/Linux operating system.
Bentley Phillips
no I understood your point that performance isnt everything to everyone.
But it is very important to people that make the decisions, and apparently their opinions matter more.
So I elaborated by laying out a principled solution that is philosophically compatible with Linux and OSI without sacrifice or prayer that it might someday be feasible.
Camden Myers
I use Windows 10. I am not ashamed.
Kayden Clark
>he claims there's a campaign against Linux >he must be from Cred Forums This is a fallacy. There's a concerted effort by corporate interests to wrest control of Linux away from the core kernel hacker group for a long time. Red Hat has made the best inroads, but don't forget there are many more looking to do the same.
Sebastian Martin
...
Isaac Long
I always eagerly wait for the new Lunix kernel. When I think of what compilation commands to use I get a huge boner and I often masturbate during the compilation. Some time ago I bought a new computer that compiles the kernel so fast I don't have time to cum. So I compile it twice.
Camden Baker
Under appreciated first post. FP;BP as always.
Lincoln Edwards
>implying that everything is always patched in next few days most 0days get patched like 2 years later everywhere
Nolan Ramirez
Is Wayland any better in this matter?
Ethan Lopez
Damn that's a lot of ass talk
Levi Baker
> nginx > lots of security holes Get a load of this retard
John Bell
kek laughing at the desperate red hat shills damage controlling to this post The first step is always denial
Cooper Martinez
Internet is a term for a network of connected devices, but this doesn't mean they reach out to the WWW.
Camden King
REDOX OS IS THE FUTURE Let's all contribute to redox os.
Cameron Edwards
This is your brain on openplacebo.
Jacob Morgan
The only thing open about openbsd is its backdoors.
Evan Scott
Clearly the solution is to use Windows 10 IoT on your internet-connected door lock instead of Linux
Blake Kelly
Because security is taboo in openbsd land. Only wishful thinking is allowed. If they were to allow a competent firewall on their system, that would be an admittance of the truth (that their security is entirely imagined and not real).
Kevin Ramirez
topkek
>"Android does in fact inherit bugs from the upstream kernel," he said, "but our data shows that most of Android's kernel security vulnerabilities live in device drivers."
yet again, this goes to show why we need more free software and less proprietary third party drivers
Jacob Wright
...
Bentley Perry
And this is why nobody with half a brain can unironically say that openbsd is secure - it contains proprietary blobs in the base image and downloads more without even telling the user during the install process. Of course, they change the meaning of the word blob so they don't get sued for false advertising when they say they're blob-free...
Austin Baker
The NSA uses Linux
The KGB uses Linux
Linux is more secure than Windows.
/thread
William Hernandez
do you even know what pfsense is
its literally a GUI for the openbsd firewall that's also used in freebsd
Hunter Gutierrez
The biggest reason I can't take OpenBSD seriously is because all of their concepts of security revolve around making the programs use them, which means their tree and nothing else.
In other words, you effectively can't run third party programs on OpenBSD at all. It fails at the fundamental job of being an operating system by definition.
Robert Rodriguez
>Internet-connected door lock pic related
fpbp, this iot meme needs to stop as soon as possible, before something really bad happens at a large scale leading 1148
Parker Adams
>It fails at the fundamental job of being an operating system by definition. It's not, but fails miserably on many part. It's more or less research project anyway.
Lucas Parker
An operating system is a platform on which users can execute their own programs. If an OS disincentivizes running your own programs, it sucks at being an OS.
Logan Parker
I can't run Photoshop on Linux. I'm glad Linux users understand why we Windows users can't take Linux seriously.
Jaxon Scott
>In other words, you effectively can't run third party programs on OpenBSD at all at all? wow i guess im able to run firefox by pure magic then
Carson Moore
Nice FUD, nigger.
Aiden Perry
There is, it's called securityrouter. But the reason pfSense chose FreeBSD is because they could just fork m0n0wall instead of starting from scratch, they could offer more features and more performance that way.
Brayden Collins
>If an OS disincentivizes running your own programs, it sucks at being an OS. Why has Linux no support for de facto standard programming APIs like .NET, Win32, ActiveX and Direct3D then?
By your own criterion, Linux sucks at being an OS.
Benjamin Clark
Yes, firefox is a great example of a program that receives absolutely fuckall of OpenBSD's “security enhancements” because it's not rewritten to use OpenBSD's security features.
I never said it was impossible to do, I said it was disincentivized / effectively impossible (as long as you want security out of OpenBSD - you know, the only reason people even consider OpenBSD)
Brayden Rivera
Not sure if bait or just legitimately retarded. Allowing you to run your own programs does not mean needing to magically support every API in existence.
As long as you have at least ONE mechanism for running third-party programs, you have the capability and therefore do not violate the definition of an OS.
Julian Johnson
pretty sure w^x violations and all that other shit are enforced system wide though specifically because you cant just fork eveeything
Isaac Jones
>OpenBSD violates the definition of an OS because it forces programs to behave Wow, you are dumb.
Isaiah Campbell
The example I had in my mind is OpenSSL's refusal to implement MAC. Instead of MAC (which works for every program, even third-party) they instead make the program itself drop syscall capabilities, which requires patching every single package in their repositories.
It's not the first time they've done something like this either, but to me it's the most egregious. I don't understand how they can just go ahead and assume syscall security only matters for patched in-tree software.
William Morris
No, it literally doesn't. It does the exact opposite. It lets third-party programs do whatever they want, not governed by a permissions system (like e.g. SELinux on Linux)
See
Nolan Gray
>muh MACs fuck i should've known it was you
Alexander Moore
>implying it makes sense to accept overengineered NSA dogshit like SELinux which adds infinite complexity and traps sysadmins just to comply with outdated DoD Orange Book bullshit when you can already completely lock down the system, control user access by data sensitivity level, compartmentalize users and contain break-in attempts with everything OpenBSD's already got
Next you're gonna complain that OpenBSD only supports Unix permissions and doesn't have ACLs. Literally kill yourself.
Isaiah Martinez
>you who?
Hudson James
>not governed by a permissions system You only need that shit because you run all your fucking daemons as fucking root, you fucking Linux morons. OpenBSD has privilege separation.
Also, lrn2chroot + systrace. Don't blame the operating system for you being a newbie sysadmin.
Sebastian Foster
well a router is not really IoT for example..
Henry Morris
>You only need that shit because you run all your fucking daemons as fucking root, you fucking Linux morons. People do this?
>OpenBSD has privilege separation. So how does it do privilege separation while only having POSIX permissions? Combinatorial group explosion?
Say I have a file that needs to be accessed by programs X,Y,Z but not by A,B,C. Then I have another file that needs to be accessed by X,B but not by Y,A,C. Then I have another file that needs to be accessed by Y,C but not by X,A,B.
How do you do that without ACLs or permission vectors?
Mason Murphy
almost every daemon or insecure by nature components (http for example) runs as its own user in chroot
Noah Morgan
Okay so what if I want to run skype?
Juan Morgan
>People do this? Reminder that X11 on Linux runs as root to this day.
>Say I have a file that needs to be accessed by programs X,Y,Z but not by A,B,C. Then I have another file that needs to be accessed by X,B but not by Y,A,C. Then I have another file that needs to be accessed by Y,C but not by X,A,B. Create group_that_has_access_to_file_1, group_that_has_access_to_file_2 and group_that_has_access_to_file_3. Put X, Y and Z in the first, X and B in the 2nd and Y and C in the third. Change groups ownership of the files. Done.
Are you really so mentally challenged that you couldn't figure this out?
Landon Jenkins
Whatever. I use a HPC running fully up-to-date Arch Linux as my router anyway, so works fine for me.
Camden Gutierrez
>running MS non-free software come on
dont tell me you're not him now
Hunter Taylor
>ACLs vs. POSIX again Look, you can mathematically prove that there's nothing ACLs can do that Unix permissions can't, yet the former are various orders of magnitude more complex.
>skype You've shown your true colours. No need to proceed with this.
Leo Watson
>Reminder that X11 on Linux runs as root to this day. You mean X.org? And it's the minority here, isn't it? You said “all” daemons, which implies every single daemon. On my system, virtually every daemon seems to run as its own user, with systemd and sshd being the only exceptions. That's not “all”, to me.
>man.openbsd.org/OpenBSD-current/man2/chroot.2 chroot is a mechanism for implementing a policy, but it does not provide a policy. How do you configure your policy on OpenBSD? You need ACLs or Vectors to avoid combinatorial explosion. POSIX groups just don't cut it.
>Create group_that_has_access_to_file_1, group_that_has_access_to_file_2 and group_that_has_access_to_file_3. Wow, fantastic. You just described combinatorial explosion to me. Next thing I know you're going to be telling me to have a separate POSIX group for every 2^N combination of users and files on my system
good job, truly am impressed by your revolutionary OS
Joshua Davis
>Look, you can mathematically prove that there's nothing ACLs can do that Unix permissions can't, yet the former are various orders of magnitude more complex. Yeah I don't need your O(2^n) proof thanks
Okay, so you can't? Thanks, that's the answer I was expecting to hear from you delusional suckless/OpenBSD idiots who think the world revolves around your naive ecosystem.
FreeBSD still does not have ASLR or any mitigations like that, even in the -CURRENT branch. There was an experimental work-in-progress diff for it that's gone nowhere.
Joshua Cruz
Actually, a lot of third party software in the OpenBSD ports/package collection get additional security benefits. Many have had pledge integrated or additional chrooting (see nginx for example)
>I wish i could install openbsd, but it doesn't support trim for ssd.
is this needed on modern SSDs? i thought most had junk collection built in to the firmware. i haven't noticed any slowdown on mine, it's an intel one from about four years ago.
Ian Reed
Maybe running PHP as root on your edge gateway device isn't the best idea...
Levi Jenkins
>FreebSD has made quite some progress (especially in v11)
like what? i read the release notes page and saw almost nothing related to security.
aren't portsnap and freebsd_update still vulnerable to KNOWN exploits that were brought up months ago?
Colton Lopez
pfsense and freebsd run a version of pf that's almost eight years old now, buddy.
Logan Bailey
>sshd I hope you're using lsh instead of OpenSSH since you hate OpenBSD so much.
Carson Martin
yup and thats why pfsense should be openbsd based
Hudson Price
what piece of software or operating system doesn't have attack vectors?
probably known. how easy it is to excute an attack on an operating system linux or windows? probably easier on windows as it's more commonly used.
is linux more secure then windows or is the inverse true?
Carson Jenkins
bookmarked ASLR. HardenedBeniS'D maybe knew it already. >what piece of software or operating system doesn't have attack vectors? Glorious TempleOS.
Alexander Hall
hardenedbsd is not freebsd and their changes won't be merged back upstream. it's not quite the same. freebsd has made NO improvements in this area since that 2013 video.
John Wilson
Ask for Genuine Microsoft Software.
David Price
install gentoo
Leo Roberts
we are talking about openbsd, the OS. the tools are... well, that, tools.