Unsafe at any clock speed: Linux kernel security needs a rethink

arstechnica.co.uk/security/2016/09/linux-kernel-security-needs-fixing/

>The clear consensus at the Linux Security Summit was that squashing bugs is a losing strategy. Many deployed devices running Linux will never receive security updates, and patching a security hole in the upstream kernel does nothing to ensure the safety of an IoT device that could be in use for a decade and may forever be ignored by the manufacturer.
>Even devices that do receive patches may see long gaps between public bug discovery and a patch being applied. Cook gave the example of an Internet-connected door lock that an end-user might well use for 15 years or more. Such devices are likely to receive sporadic security patches, if at all.

>Worse, the average lifetime of a critical security bug in the Linux kernel, from introduction during a code commit to public discovery and having a patch issued, averages three years or more. According to Cook’s analysis, critical and high-severity security bugs in the upstream kernel have lifespans from 3.3 to 6.4 years between commit and discovery.

Linux BTFO.
Torvalds on SUICIDE WATCH.
Stallman high on foot cheese as usual dreaming about HURD.

Other urls found in this thread:

youtube.com/watch?v=OXS8ljif9b8
joelonsoftware.com/articles/fog0000000054.html
blogs.msdn.microsoft.com/oldnewthing/20110131-00/?p=11633c
threatpost.com/critical-glibc-vulnerability-puts-all-linux-machines-at-risk/116261/
en.wikipedia.org/wiki/Security_through_obscurity
cvedetails.com/vulnerability-list/vendor_id-26/product_id-32238/Microsoft-Windows-10.html
cvedetails.com/vulnerability-list/vendor_id-4781/product_id-20550/version_id-194088/Canonical-Ubuntu-Linux-16.04.html
cvedetails.com/vulnerability-list/vendor_id-97/Openbsd.html
cvedetails.com/version-list/97/163/1/Openbsd-Openbsd.html
man.openbsd.org/OpenBSD-current/man2/pledge.2
man.openbsd.org/OpenBSD-current/man2/chroot.2
marc.info/?t=141616714600001&r=1&w=2
vez.mrsk.me/freebsd-defaults.txt
twitter.com/NSFWRedditGif

More like IoT btfo

Still faster than any Windows fixes.

So it turns out that not updating software leaves security holes in said updated software?

You could replace linux with anything there.
If devices are not getting bugfixes then it doesn't matter what they're running.

that sounds frightening, how are other systems doing?

>security patches don't fix unpatched systems
news at 11

Pretty much everyone but FreeBSD are doing better: youtube.com/watch?v=OXS8ljif9b8

>iot
>Not connecting to the internet and updates itself via secure channel

>manufacturers don't patch security issues

This isn't news

Most IoT stuff only uses Bluetooth

reading further, it says the majority of kernel bugs are because of drivers, and of those the majority of the buggy drivers are third party

this isn't for the desktop/server market you fuck, this concerns the internet of things meme and embedded systems that are never fucking patched by the manufacturer, and the end user probably wouldn't patch it themselves anyways

Who the hell is connecting millions of devices to the web with absolutely no plan to update them?
What the fuck

Phones.

Not an argument.
The GNU/Linux desktops all use the Linux kernel and suffer from the same bugs which take years to be found (despite having all these eyes looking at the code) by people that want to fix them.

See:
>critical and high-severity security bugs in the upstream kernel have lifespans from 3.3 to 6.4 years between commit and discovery.

All up in your GNU/Linux desktops and servers. The sooner you stop lying to yourself and face reality the faster this situation can improve.

All software is vulnerable as fuck when connected to the internet. This is just anti Linux propaganda.

Android Apple and Windows all do a good job pushing updates to the phones. This IoT thing is just exposing every day items as an attack surface on the web.

APOLOGIZE

I'm afraid I have some bad news for you.

>critical and high-severity security bugs in the upstream kernel have lifespans from 3.3 to 6.4 years between commit and discovery
This is why there ought to be LTS kernel versions that span more than a decade

>device connected to the internet can't update over the internet.

will formally proven system become popular now?

Would you say its better than not releasing updates for there products, phones arent great but at least they do regularly update unlike iot devices that have no regular updates to speak of.

this arguments also fits for every other system, probably even worse

just look at all the embedded devices running windows 2000 or xp

>Linus "fuck you if you break my user-space" Torvalds doesn't give a fuck about security if it breaks the kernel
No shit, tell me something new

>Lazy companies don't want to perform their responsibilities and duties for maintaining a product/service they sell
No shit, they dint want to see your fucking face revert again unless you're buying something.

certainly not better, the article is basically: vendors are shit and never update their systems, or set them up badly in the first place. No Operating System can be secure if the vendor set up "1234" as the default password.

yeah, and the windows source code has less bugs...kek
also, finding these bugs IS objectively very hard, it's only really relevant to the NSA and other agencys with big budgets

he needs to get on twitter

>objectively very hard
Usually linux secholes are cause crash, but there some privilege escalation too, but they aren't obvious to play out.

>fuck you if you break my user-space
windows is no different[1][2], any successfull general-purpose low-level software or hardware needs great backwards compatibility.

[1]joelonsoftware.com/articles/fog0000000054.html
[2]blogs.msdn.microsoft.com/oldnewthing/20110131-00/?p=11633c

>secholes
what?

Good goyim, the money has been deposited into your account.

That's a problem with IoT not the Linux kernel

>That's a problem with IoT not the Linux kernel
Yeah, serious critical security bugs in the Linux kernel that go "unfound" and unfixed for 3-6 years (on average) across multiple stable and LTS releases are totally not the fault of Linux. It must be someone elses fault! It just has to be!

Lmfao.
How many shekels is Torvalds paying you to post this? Judging by the low quality of damage control ITT I would assume you're doing it
>for FREE

s/Linux/Windows

Another attack article on Linux's Security, unsurprising
Whatever it takes for the immoral corporation friendly media to push through the notion that Linux is insecure

The whole article is about what was presented at the Linux Security Summit 2016. What are you even suggesting? That Linux kernel developers of being paid off by the kike boogeyman to make Linux look bad so le ebil jew media report on it?

windows and os x are naturally doing worse

This applies to all applications of software. Getting rid of one kernel doesn't fix that shit

Linux had security through obscurity in the 90s. It was mostly used on professional servers and only state actors or serious badasses would be hacking them, mostly just for the hacker cred and epenis and not for any real malicious purpose. Nowadays Linux is on every phone, lots of tablets, IoT devices, and even making traction on the desktop. It's being actively targetted for inclusion in botnets and by assholes looking to steal personal information. Linux definitely needs some security work done, but really, the bigger problem is PEOPLE, not Linux. No matter how secure you TRY to make it, if someone does something retarded, it won't matter.

TL;DR-PEBKAC

My recommendation is to *gasp* fork Linux and make a locked the fuck down version for morons and IoT shit that is hardened against most attack vectors and doesn't include unneeded shit.

Doesn't help if the vendor doesn't publish updates.

But Linux is the most insecure OS out there.

I've worked for Cigital and if we could single out what platform we found the most holes in, it would hands down be Linux.

Linux apologists fool themselves by comparing figures between the Linux kernel and the entire Windows environment, but that's deceiving: there also Linux-specific vulnerabilities in glibc, systemd, OpenSSL, Apache, MySQL, nginx, bash, etc.

Not to mention Linux lacks the most basic security mitigations unless you pay for grsec, and most distributions have awful defaults.

To make matters worst, Linux application developers seem to have a false sense of security because they're developing on Linux. They seem to believe they're immune to breaches and they do not comprehend the basics of infiltration, so they ignore unpatched buffer overflows and unresolved compiler warnings, and they do not pay attention to the OWASP Top 10 when developing web apps (hands down the thing Linux is used the most for out there is web, so this is extremely relevant). Developers on other platforms are more security aware.

>My recommendation is to *gasp* fork Linux

Probably better at this point to throw it in to the trash and just start over with something new. There is no fixing the stupid inside the linux kernel.

This argument is so general that they might as well have applied it against the Internet of Things or software in general. Their conclusion that Linux is not presently suitable for IoT is correct but they are wrong in thinking it ever could be.

Devices will be abandoned and never updated, especially if they use Linux. IoT is feasible with a walled-garden approach where the individual unit cost is so high that long-term software maintenance is profitable. Open-source Linux cannot be used in this environment.

>relying on a device connected to the internet to protect your home

Seriously, nigga?

I wouldn't say Linux is the least secure system, but no one who works in the security industry falls for the "Linux = more security than Windows" meme.

Security professionals worth their salt know "security as a product" is one hell of a pitfall.

Can someone explain to me how an attacker might use it's bugs?

Considering a IoT device that the manufacturer actually took time to do some basic sysadmin shit like creating an unpriveleged account changing the root passwiord to something dictionary-attack proof. And some good software development techiniques like sanitizing user input. I know most devices out there does not care about this yet.

>Can someone explain to me how an attacker might use it's bugs?

Simply put: They cannot.
This is all just overblown bullshit to make Linux look bad in the public eye.

Read pic related.

As a rule, every bug can be exploited.

Shall we see the rise of the glorious HURD then?

You're a retard

There is a reason no one uses windows for security.

GNU is part of the problem.

threatpost.com/critical-glibc-vulnerability-puts-all-linux-machines-at-risk/116261/

Meanwhile FreeBSD has had no remote holes in its flat distribution in years.

Stinky Linux faggot BTFO forever

>Linux's vulnerabilities broken down and Microsoft's stacked together
Thanks for proving me right.

>There is a reason no one uses windows for security.
I work in the network security industry and that is simply not true at all. I have to admit Windows wouldn't be my first choice for anything, security-wise or not, but like this guy said, security is not a product, it's a process. Any platform can be bulletproof or literally a Swiss cheese.

>freetard 'community' developed shit

Lol. It never occurred to me how unsafe Linux was.

[citation needed faggot]

Can you circlejump a buffer overflow in quake?

...

HAHAHAAAHAHHAH BTFO LINUX

>Linux kernel security needs a rethink
I do think NT needs a security rethink first.
Who the fuck thought rendering fonts in kernel space was a great idea?

>Internet-connected door lock
people using that shit deserve what they get

>2016
>Linux kernel alone has twice more distict vulns than Windows XP
>Windows
>Fucking
>XP

I should have known those freetards were lying about open source being secure because "muh freedumbs" and "muh many eyes over the code" bullshit.

Muh 18 month old android ain't getting any more updates.
Thanks, Torvalds.

Security holes, ya dummy

This is literally a problem with hardware manufacturers, not Linux. The fact that Linux developers are looking into an issue that is not technically their problem is quite admirable imo.

>Not an argument
Yeah, well "embedded device vendors don't make updates available" isn't exactly an argument for "Linux btfo" either

This. Security is not a product,you can't fucking purchase a secure system or get one that just werks because security is a human issue. Bugs are created by flaws in logic and pricess when wruting code, so you have to be proactive about updating your system.

I don't use linux because it's inherently more secure, i use linux because the platform makes it easier for me to maintain my system.

Oh god this man is so fucking BASED.
I wish i could install openbsd, but it doesn't support trim for ssd.

Nothing is safe. If you think safety exists you're delusional. You create your own security, you maintain your own system. Windows and OSX make it almost impossible to maintain your own system, but it's easy with linux and that's why it's superior.

I imagine it's a simplified abstraction of the actual vector that might occur. For instance, an infection in the 10-year-old IoT refrigerator spreads to the NFC-enabled door lock.

Not the previous user but I'm sure you don't get the point.
This doesn't obviously apply to Linux only: I wonder how many security bugs are still to be found in closed source operating systems like Windows and OS X, just you're not bitching about them because MS and Apple won't give public disclosure of how long a bug has been there and how much it took them to confirm it and fix it.

I honestly don't see a big problem here because I don't want my fucking fridge to be connected to the internet. We've lived offline for ages and yet we managed to prosper and evolve. I don't see how my internet enabled fridge will make my life easier desu.

Still, companies who develop IoT gadgets running Linux, have access to the kernel source code and can go ahead bug hunting on their own and then feed the results back to the kernel maintainers.

>Linux developers are looking into an issue that is not technically their problem

>the average lifetime of a critical security bug in the Linux kernel, from introduction during a code commit to public discovery and having a patch issued, averages three years or more. According to Cook’s analysis, critical and high-severity security bugs in the upstream kernel have lifespans from 3.3 to 6.4 years between commit and discovery.

>not technically their problem

Lol, just lol.
Lindrones straight up cannot face reality.

Daily reminder that X11 has no privilege separation on Linux, therefore it can bring down the whole system (and often does).

What Windows fixes?

On what planet?
All of your devices that aren't a PC

>Android
>pushing updates to the phones

>Oh god this man is so fucking BSD

???

Daily reminder that X11 is not a kernel

5/10 made me reply

Android is not a company. Nor do companies push updates, most normies don't even want to update their OS version, and those that do probably won't be able to after 6 months which is the average time companies send updates for each device.

-Sent from Android version 4.4.2

That's the problem, without privilege separation you don't get any of the security benefits of having GUI code outside ring 0 but all of the performance hits. Linux GUI has all the security flaws Windows' does, but Windows' is orders of magnitude faster. It's the stupidest trade-off.

> internet connected door lock
> not secure

Everything I thought I knew turned out to be a lie.

Why can't atheists define security through obscurity?
en.wikipedia.org/wiki/Security_through_obscurity

Google "quake2 remote exploits". Shit brix.

Is this just for the original quake 1/2 exeutables? Are source ports still affected by this?

Mostly original q2, it was a clusterfuck.

TBQH IoT security in general is a farce. There's just no way to leave anything in what is effectively public space with any kind of static defense and believe it won't be breached over a relatively short period of time so long as there is reason to breach it.

Anyone propounding the idea that there's a solution to this that doesn't involve being able to update these devices is a charlatan selling snake oil. Netsec has been screaming this since the IoT meme started and professional huckster kikes like Zuckerfag have ignored that in order to promise good stupid goyim even more asinine hedonism.

Any widespread rollout of this kind of shit should be well and dually fucked over and hacked to bits to serve as a warning to the public about how dumb it is. Hopefully the hook nosed fucking assholes pushing it lose a lot of their precious shekels in the process.

Just grab the kernel from OpenBSD ffs.

>talks about "stacking down" windows 10 as an OS vs linux as a kernel
>post numbers showing stacked down all versions of Debian/Ubuntu vs Windows 10
Isn't this hypocrisy? Also Linux kernel has stacked versions too, some are unmaintained.

Also i would like to point out that Debian security team manages security across all official packages available in the repos. This is a lot more software than for example Ubuntu, which doesn't even produce security updates for VLC. If you think placing Windows vs Linux kernel is unfair ,you would have to put everything ever listed as Windows 10 supported + Windows 10 as an OS vs whole Debian repos, or something stupid like that.

What I'm trying to say, you cannot really trust CVEdetails statistics to compare security on two OSes.
You can however laugh at bugs with high score not being fixed for years or affecting new releases since a very old release. I do not know if cvedetails still lists vulnerabilities with existing patches though but it seems so.

I hope they will.
start with elm, then move to haskell, rust etc.

>Isn't this hypocrisy?
Hypocrisy is when one doesn't do as one speaks, not when somebody else doesn't.

You'd imagine wrong. A local isp is advertising a home automation service to bundle with their other shit and one of the "features" is that you can open the door for guests while you're not home. I wonder how an internet service provider provides that service.

Honestly security is irrelevant in these applications. The people installing this shit have homes with with windows and leave their shit unprotected. A thief that is willing to break and enter is going to break the fucking window not figure out how how to open the lock.

The type of person who buys a toaster with a camera and microphone doesn't care if it gets hacked. He already takes photos of himself and posts them on facebook. He already has his phone with him to constantly report his position and activities to facebook. All he bought the toaster for was so he doesn't have to manually tell the world what he ate for breakfast. The security vulnerability here is that someone could burn his toast.

Do you realise what IoT stands for?

>According to Cook’s analysis, critical and high-severity security bugs in the upstream kernel have lifespans from 3.3 to 6.4 years between commit and discovery.
Could someone provide some examples.I've been using Linux for 7+years and going solely off memory, I can't think of anything that hasn't been patched almost immediately after discovery.

well yeah you talked about stacking the Microsoft vulnerabilities vs the Linux kernel, so tell me what you think about vulnerabilities in Windows 10 vs Ubuntu 16.04 , both include the kernel and basic software installed with the OS. I can even forgive you that Ubuntu includes shitloads of packages not installed by defaults.

cvedetails.com/vulnerability-list/vendor_id-26/product_id-32238/Microsoft-Windows-10.html

cvedetails.com/vulnerability-list/vendor_id-4781/product_id-20550/version_id-194088/Canonical-Ubuntu-Linux-16.04.html

You can achieve best comparison pleasure looking the number of 9+ score vulnerabilities. Bonus points for Winddows 10 CVE's affecting Windows Vista or older.

But seriously now, why do people's dicks get hard for bashing software they don't use. Can't we all just agree that using OSX is gay and stop those pointless threads?

Well, you talked about hypocrisy, so tell me what you think about saying you can't really trust CVEdetails and then keep spamming that shit down my throat.

>systems that dont get updated have security flaws

Literally what kernel or system is this NOT true for??

Yes i told you how it is not a good way to compare shit because it stacks multiple versions of Linux distros into one ,while secluding windows versions. Also i pointed out twice now, that Linux distros security teams usually provide CVEs patches for software not being the ones default installed. You told that one guy that stacking microsoft vs linux kernel proves your point, explain how in the light of Windows 10 vs Ubuntu 16.04

>security patches don't fix unpatched systems
THIS JUST IN!!!

Don't bother feeding the troll. These are the exact kind of Jewish tricks stallmanites use all the time, do not fall in to the trap of giving them attention.

DELETE THIS WINKEK

>systems that aren't updated have security holes
Why is this being touted as a Linux problem?

>Why is this being touted as a Linux problem?

>the average lifetime of a critical security bug in the Linux kernel, from introduction during a code commit to public discovery and having a patch issued, averages three years or more. According to Cook’s analysis, critical and high-severity security bugs in the upstream kernel have lifespans from 3.3 to 6.4 years between commit and discovery.

>Why is this being touted as a Linux problem?

I have no idea...

he probably thinks its asinine as fuck

>yes goy, some freetard is giving you comparable numbers , do not listen! Don't forget to buy the new, secure Windows 10! With anniversary updates you it will be yours forever! The free software foundation is transphobic and an enemy of your freedom!

ITT: Linux shills ignore the existence of everything other than IoT devices because it's the only way they can try to save face.

Where are all the
>muh server marketshare
>muh smartphone marketshare
>muh supercompootah marketshare
now?
I'll tell you where. Fucking suicide watch.

FOR THE ONE MILLIONTH TIME: BECAUSE LINUX HAS NO GODDAMN MITIGATIONS!

Why do you think OpenBSD's default install almost never has any remotely exploitable vulns, even without any updates? BECAUSE MITIGATIONS!

>Fucking suicide watch.
Can you blame them? 25 years of hard work down the drain because they cared more about hating Windows than actually building something secure that could last the test of time. The downside is that unlike MS, Apple, etc, when Linux inevitably falls it has nothing to help it back up. Game over.

With Open Source Software, you learn about vulns at public security summits. With Windows, you learn about them after some Russian 12 year old from China who weighs 400 pounds hacks you from his mattress with 0-days that you can't mitigate yourself.

are the gripes of that guy warranted? pfsense is a popular firewall after all

>a list of things that actually get security updates
Looks like someone skipped their English classes. Bad Pajeet!

How is that different from any other kernel?

Oh, its different because on other ones you can't even identify vulnerabilities as easily since it's closed. Eat shit.

Does it make understanding people easier for you to stereotype them into black and white labels?

What was the last commit you made to an open source project?

Because nobody uses it.

>How is that different from any other kernel?
It's not, which is why it makes no sense that Linux users are so desperate to lie and try cover it up so badly. What else is there going on which makes them so desperate to hide the truth?

Really makes me think to be honest.

Linux is hobbyist tier shit

It's just a joke that get worse every year

are you trying to tell us that server administrators and supercomputer administrators do not update the software at all? I can agree on smartphone marketshare though, this shit is plain retarded - make a phone, promise updates, updates end after a year tops, blame Torvalds for not fixing your fully blobbed version of 2.6 Linux kernel. Looks legit to me! Meanwhile I'm using my end-of-life Nokia Belle symbian phone.

You think that's a Linux specific problem?

Reminder that Iran's nuclear program got stuffed because of Stuxnet which exploited several privelege escalating 0-day holes in Windows which were also years old at that point.

He has an ego, but he's right. FreeBSD still didn't have ASLR until VERY recently, and even Windows has had it since at least XP or Vista.

this also begs the following question:
why is there no pfsense equivalent for openbsd? they have the newest version of pf since they're developing it, too.

Typical Linux user blaming the user on a flaw that is clearly caused by the OS

>This is why there ought to be LTS kernel versions that span more than a decade
They still need updates

>are the gripes of that guy (You) warranted?
Yes but the video is 3 years old now, FreebSD has made quite some progress (especially in v11) and Linux distros are doing a bit better than when the video was made.

Still; OpenBSD, Windows and OSX still come on top by a long shot. OpenBSD out of drive for technology and the other two because of paying customers.

XP was the biggest sec nightmare before SP3. I don't want to know how much money MS started throwing at security development in the XP years, if they hadn't though they would have literally died.

>Not to mention Linux lacks the most basic security mitigations unless you pay for grsec
heh
Really shows how much you actually knew at your job

Linux systems running X11 are not mission critical systems (or shouldn't be) and generally not run on IoT/embedded systems (or shouldn't be due to weight). And any user of X11 is able to easily update/reinstall their system if security and stability concerns them.

>vendors are shit
and
>vendors set up
how is this blaming the user? Why would anybody blame the user that his Samsung Galaxy Trend or some other shit has no security updates from the manufacturer for at least two years now? Except maybe jews because the user should have bought a new phone in this time and send the old phone to africa so children can scrape gold from it.

Linux supports billions more devices than Windows. And it's still more secure

Nah it's just there's too many bugs and nobody fixing them

Linux isn't ready for primetime yet.

X11 solely as a desktop system wasn't the plan. Distributed computing was a main feature that required compromises to be made.

Using X11 just as a multimedia desktop and complaining about performance in this regard is like using a microwave only as a paper weight and bitching about how unwieldy it is to move around your desk.

>Nah it's just there's too many bugs and nobody fixing them
sounds like a perfect description of windows to me

>tfw only reason to use X in 2016 is to use a linux distro on a desktop computer, and X is not suited for the task
Wayland on NVIDIA drivers when?

Even if Linux developers found and patched all security vulnerabilities within seconds it still wouldn't matter to people who never update.

all those decices use default logins and and passwords, that's how.

Shitty DVRs and webcams are being exploited because Linux is insecure

Yeah, except OpenBSD can do it WITH privilege separation. It has been able to for almost a decade now.

Linux is just very out-of-date security-features-wise.

ITT:
Board that had generals with guides on how to disable Windows 10 Updates, or use Vista in 2016 instead is telling freetards that their old, unmaintained kernel versions on embedded devices are insecure
>:^)

>int the year of 2010+6
>not using custom, hardened RTOS for your IoT projects
seriosly.

>It's Linux fault that normies don't change default passwords

>tfw only reason to use X in 2016 is to use a linux distro on a desktop computer, and X is not suited for the task

Been using Linux ~20 years. If I use a desktop its not for multimedia. Windows and OSX are desktop Multimedia OSes.

>Cook gave the example of an Internet-connected door lock that an end-user might well use for 15 years or more.
We all know regular doors are fool proof, pic related.

I always thought that using Linux for multimedia is fine. Well with that one exception of DRMed DVDs but it caught me off guard since i normally do not play videos from DVDs.

>FOR THE ONE MILLIONTH TIME: BECAUSE LINUX HAS NO GODDAMN MITIGATIONS!
what is ASLR?

btw, sage goes in all fields. this troll thread is retarded

>Why do you think OpenBSD's default install almost never has any remotely exploitable vulns, even without any updates? BECAUSE MITIGATIONS!
cvedetails.com/vulnerability-list/vendor_id-97/Openbsd.html
also btw, the "solution" (if it can be called as such) to this already exists, and comes from the same people that created ASLR: grsecurity

whose fault it is then? it's a software design flaw.

That's the problem

It's not good enough

windows isn't an IoT platform

tell that to microsoft

>Linux has massive security issues
>T-troll thread!

k buddy

Let me know when millions of chinese devices use embedded windows then

MS can say whatever they want

>>linux has no mitigations!!11
>ASLR
>>hurr durr!!
do you even know a thing or two about security?

well, they are trying hard to push for devs to use their shit

Linux Shill Defense Bridge is out in force tonight.

another great cvedetails user not posting current versions
cvedetails.com/version-list/97/163/1/Openbsd-Openbsd.html
I don't even like bsd

But OP's whole post is that current version fixes don't matter since most devices won't be updated.

This is apparently a Linux-unique problem.

>Runs out of argument
>lol shill XDDD
Typical winbabby. Fuck off

let me get that straight , so linux and bsd is insecure because no one will install updates, and that somehow does not apply to windows (if still there is no one to install updates)?

>This is apparently a Linux-unique problem.
Well there you go. BSD is fine then.

Apparently.

>insecure because no one will install updates
>that somehow does not apply to windows (if still there is no one to install updates)?
the OP is implying that this is a linux-only problem
well, what do you think about the topic? what about the OP?

There's also the fact that Theo complains that no one ever gives money to them, this changed A LOT.

They actually have some level of corporate backing every year now.

Blame freedesktop for not accepting their privsep patches upstream, I guess.

Yes it is, Windows can enforce password policy.

>what is ASLR?
something that's mostly turned off and not enforced?

And?

>something that's mostly turned off and not enforced?
hahaha, what the hell? sure thing, m8...
lol

>not updating your system doesn't install security updates
wew

wow you're underage

>what do you think of the topic
it's ridden with shills.

-any sufficiently big codebase has critical bugs*
-Both Windows, Linux and BSD are certainly big enough to have critical Bugs
-therefore all of them have critical security bugs.
Over time, these security bugs get discovered, and some of them get publicized, usually after a fix is out. Now, if software doesn't get updated, then i can simply use this several years old bug to take control of your system. This obviously applies to any OS. Shills in this thread are trying to paint this as something linux-specific, rather than a general issue.

What yesterday Linux was one of the safest kernels around and now suddenly it's full of security holes and shit?

Oh well, hopefully it will shut up the retarded aspect of the community...

>The security bugs lie in the firmware binary blobs, says the FSF
>The security bugs lie in the kernel, says the mainstream

Which one do I believe

Android- protecting the kernel.pdf

Same question
Can i apply them?

>sp2
ftfy

>one reason I refuse to bother with the whole security circus is that I think it glorifies—and thus encourages—the wrong behavior. It makes 'heroes' out of security people, as if the people who don't just fix normal bugs aren't as important. In fact, all the boring normal bugs are way more important, just because there's a lot more of them.

>I think the OpenBSD crowd is a bunch of masturbating monkeys, in that they make such a big deal about concentrating on security to the point where they pretty much admit that nothing else matters to them.

fucking lel

I don't understand how this has anything to do with Loonix.

If you don't upgrade your software this is basically what you can expect across the board.

And vendors that don't care to patch their modified, patched versions of Linux and distributions, e.g. chinese cctv boxes

>lifetime of critical bug averages 3 years or more

This is the major problem

its describing the problem of unfound, unfixed bugs that may include zde's.

but tl;dr here is (and this is said in the article) most of these bugs are 3rd party kernel drivers. And the people that do linux are getting very serious about security.

Technically, you could make the problem go away by using a microkernel so that bugs in device drivers and plenty of other kernel modules are not security issues.

every kernel starts as a microkernel.
every successful kernel is not a microkernel.
kernels introduce more functionality over time (like device drivers) because it improves performance

unfortunately whispering microkernel on its own does not provide a real world solution.

I am not providing solution. I am saying that technically the path to solution is known, it's just that no one successfully walked it yet - as a counter-argument to your statement that there's no solution possible.

Also Linux quite clearly did not start as a microkernel. You you even know what microkernel is?

osx was built on something that was built on something that was built on mach. Clearly no longer a microkernel

clearly the microkernel line has been walked, its a novelty and an academic plaything but there is no way to make it competitively performant, there is too much overhead to put device drivers in userland.

This is why windows migrated the windows graphics component INTO (not out of) the kernel years ago, and why we have things like .tiff images achieving privilege escalation.

And I never said there is no solution, I said microkernels were not, and did not offer my own. I think that the problem is pretty clear. If most bugs are coming from 3rd parties (read private parties), the solution has to be to push free further into industry.

if these companies want to be in kernel space they should be releasing fully documented chips and APIs and allowing kernel devs to write the software.

>every kernel starts as a microkernel.
Better choose your words carefully next time nigguh.

Anyway, performance is not everything. Not everyone, given choice of speed vs security will choose latter. Moreover, circumstances change. If on today's hardware the performance of a microkernel may not be acceptable, it could be on tomorrow's.

>Iphone Os

Where did you get this list?

The overhead of putting something in userland is acceptable when the number of kernel api calls is low.

for something like a nic, I bet the number of api calls that the driver makes is probably unreasonable to put in userland, especially for a webserver. same would go for display drivers for a graphics workstation etc...

Projects like OpenBSD develop their own drivers (not necessarily by choice), and although I dont have the statistics I would bet driver bugs are relatively less common.

The reasonable solution must be pushing for publicly documented chips and api's. The linux foundation has the clout to do it already.

>every kernel starts as a microkernel.
user...

>Even if Linux developers found and patched all security vulnerabilities within seconds it still wouldn't matter to people who never update.
So your argument is that you don't need to fix critical errors because people don't all instantly update?

Gee I wonder if that's because updating breaks everything and introduces even more critical flaws.

So you ignore the post I wrote about performance not being everything and proceed to write a wall of text elaborating that performance, is, indeed, everything by listing some examples where performance seems to be important. Nice.

this is literally
>people die when they're killed
tier

I don't care. I'm still going to run the superior GNU/Linux operating system.

no I understood your point that performance isnt everything to everyone.

But it is very important to people that make the decisions, and apparently their opinions matter more.

So I elaborated by laying out a principled solution that is philosophically compatible with Linux and OSI without sacrifice or prayer that it might someday be feasible.

I use Windows 10. I am not ashamed.

>he claims there's a campaign against Linux
>he must be from Cred Forums
This is a fallacy.
There's a concerted effort by corporate interests to wrest control of Linux away from the core kernel hacker group for a long time. Red Hat has made the best inroads, but don't forget there are many more looking to do the same.

...

I always eagerly wait for the new Lunix kernel. When I think of what compilation commands to use I get a huge boner and I often masturbate during the compilation. Some time ago I bought a new computer that compiles the kernel so fast I don't have time to cum. So I compile it twice.

Under appreciated first post. FP;BP as always.

>implying that everything is always patched in next few days
most 0days get patched like 2 years later everywhere

Is Wayland any better in this matter?

Damn that's a lot of ass talk

> nginx
> lots of security holes
Get a load of this retard

kek
laughing at the desperate red hat shills damage controlling to this post
The first step is always denial

Internet is a term for a network of connected devices, but this doesn't mean they reach out to the WWW.

REDOX OS IS THE FUTURE
Let's all contribute to redox os.

This is your brain on openplacebo.

The only thing open about openbsd is its backdoors.

Clearly the solution is to use Windows 10 IoT on your internet-connected door lock instead of Linux

Because security is taboo in openbsd land. Only wishful thinking is allowed. If they were to allow a competent firewall on their system, that would be an admittance of the truth (that their security is entirely imagined and not real).

topkek

>"Android does in fact inherit bugs from the upstream kernel," he said, "but our data shows that most of Android's kernel security vulnerabilities live in device drivers."

yet again, this goes to show why we need more free software and less proprietary third party drivers

...

And this is why nobody with half a brain can unironically say that openbsd is secure - it contains proprietary blobs in the base image and downloads more without even telling the user during the install process. Of course, they change the meaning of the word blob so they don't get sued for false advertising when they say they're blob-free...

The NSA uses Linux

The KGB uses Linux


Linux is more secure than Windows.

/thread

do you even know what pfsense is

its literally a GUI for the openbsd firewall that's also used in freebsd

The biggest reason I can't take OpenBSD seriously is because all of their concepts of security revolve around making the programs use them, which means their tree and nothing else.

In other words, you effectively can't run third party programs on OpenBSD at all. It fails at the fundamental job of being an operating system by definition.

>Internet-connected door lock
pic related

fpbp, this iot meme needs to stop as soon as possible, before something really bad happens at a large scale leading 1148

>It fails at the fundamental job of being an operating system by definition.
It's not, but fails miserably on many part. It's more or less research project anyway.

An operating system is a platform on which users can execute their own programs. If an OS disincentivizes running your own programs, it sucks at being an OS.

I can't run Photoshop on Linux. I'm glad Linux users understand why we Windows users can't take Linux seriously.

>In other words, you effectively can't run third party programs on OpenBSD at all
at all? wow i guess im able to run firefox by pure magic then

Nice FUD, nigger.

There is, it's called securityrouter. But the reason pfSense chose FreeBSD is because they could just fork m0n0wall instead of starting from scratch, they could offer more features and more performance that way.

>If an OS disincentivizes running your own programs, it sucks at being an OS.
Why has Linux no support for de facto standard programming APIs like .NET, Win32, ActiveX and Direct3D then?

By your own criterion, Linux sucks at being an OS.

Yes, firefox is a great example of a program that receives absolutely fuckall of OpenBSD's “security enhancements” because it's not rewritten to use OpenBSD's security features.

I never said it was impossible to do, I said it was disincentivized / effectively impossible (as long as you want security out of OpenBSD - you know, the only reason people even consider OpenBSD)

Not sure if bait or just legitimately retarded. Allowing you to run your own programs does not mean needing to magically support every API in existence.

As long as you have at least ONE mechanism for running third-party programs, you have the capability and therefore do not violate the definition of an OS.

pretty sure w^x violations and all that other shit are enforced system wide though specifically because you cant just fork eveeything

>OpenBSD violates the definition of an OS because it forces programs to behave
Wow, you are dumb.

The example I had in my mind is OpenSSL's refusal to implement MAC. Instead of MAC (which works for every program, even third-party) they instead make the program itself drop syscall capabilities, which requires patching every single package in their repositories.

It's not the first time they've done something like this either, but to me it's the most egregious. I don't understand how they can just go ahead and assume syscall security only matters for patched in-tree software.

No, it literally doesn't. It does the exact opposite. It lets third-party programs do whatever they want, not governed by a permissions system (like e.g. SELinux on Linux)

See

>muh MACs
fuck i should've known it was you

>implying it makes sense to accept overengineered NSA dogshit like SELinux which adds infinite complexity and traps sysadmins just to comply with outdated DoD Orange Book bullshit when you can already completely lock down the system, control user access by data sensitivity level, compartmentalize users and contain break-in attempts with everything OpenBSD's already got

Next you're gonna complain that OpenBSD only supports Unix permissions and doesn't have ACLs. Literally kill yourself.

>you
who?

>not governed by a permissions system
You only need that shit because you run all your fucking daemons as fucking root, you fucking Linux morons. OpenBSD has privilege separation.

Also, lrn2chroot + systrace. Don't blame the operating system for you being a newbie sysadmin.

well a router is not really IoT for example..

>You only need that shit because you run all your fucking daemons as fucking root, you fucking Linux morons.
People do this?

>OpenBSD has privilege separation.
So how does it do privilege separation while only having POSIX permissions? Combinatorial group explosion?

Say I have a file that needs to be accessed by programs X,Y,Z but not by A,B,C. Then I have another file that needs to be accessed by X,B but not by Y,A,C. Then I have another file that needs to be accessed by Y,C but not by X,A,B.

How do you do that without ACLs or permission vectors?

almost every daemon or insecure by nature components (http for example) runs as its own user in chroot

Okay so what if I want to run skype?

>People do this?
Reminder that X11 on Linux runs as root to this day.

>So how does it do privilege separation while only having POSIX permissions?
man.openbsd.org/OpenBSD-current/man2/pledge.2
man.openbsd.org/OpenBSD-current/man2/chroot.2

>Say I have a file that needs to be accessed by programs X,Y,Z but not by A,B,C. Then I have another file that needs to be accessed by X,B but not by Y,A,C. Then I have another file that needs to be accessed by Y,C but not by X,A,B.
Create group_that_has_access_to_file_1, group_that_has_access_to_file_2 and group_that_has_access_to_file_3. Put X, Y and Z in the first, X and B in the 2nd and Y and C in the third. Change groups ownership of the files. Done.

Are you really so mentally challenged that you couldn't figure this out?

Whatever.
I use a HPC running fully up-to-date Arch Linux as my router anyway, so works fine for me.

>running MS non-free software
come on

dont tell me you're not him now

>ACLs vs. POSIX again
Look, you can mathematically prove that there's nothing ACLs can do that Unix permissions can't, yet the former are various orders of magnitude more complex.

>skype
You've shown your true colours. No need to proceed with this.

>Reminder that X11 on Linux runs as root to this day.
You mean X.org? And it's the minority here, isn't it? You said “all” daemons, which implies every single daemon. On my system, virtually every daemon seems to run as its own user, with systemd and sshd being the only exceptions. That's not “all”, to me.

>man.openbsd.org/OpenBSD-current/man2/pledge.2
Yes, I'm fully aware of OpenBSD's “pseudo-MAC” which only works for patched in-tree software.

>man.openbsd.org/OpenBSD-current/man2/chroot.2
chroot is a mechanism for implementing a policy, but it does not provide a policy. How do you configure your policy on OpenBSD? You need ACLs or Vectors to avoid combinatorial explosion. POSIX groups just don't cut it.

>Create group_that_has_access_to_file_1, group_that_has_access_to_file_2 and group_that_has_access_to_file_3.
Wow, fantastic. You just described combinatorial explosion to me. Next thing I know you're going to be telling me to have a separate POSIX group for every 2^N combination of users and files on my system

good job, truly am impressed by your revolutionary OS

>Look, you can mathematically prove that there's nothing ACLs can do that Unix permissions can't, yet the former are various orders of magnitude more complex.
Yeah I don't need your O(2^n) proof thanks

Okay, so you can't? Thanks, that's the answer I was expecting to hear from you delusional suckless/OpenBSD idiots who think the world revolves around your naive ecosystem.

>he uses systemd

marc.info/?t=141616714600001&r=1&w=2

Love how lintards don't have an answer to this.

FreeBSD still does not have ASLR or any mitigations like that, even in the -CURRENT branch. There was an experimental work-in-progress diff for it that's gone nowhere.

Actually, a lot of third party software in the OpenBSD ports/package collection get additional security benefits. Many have had pledge integrated or additional chrooting (see nginx for example)

what's wrong with systemd?

You're replying to a troll.

FreeBSD's "security" is a joke.
vez.mrsk.me/freebsd-defaults.txt

>I wish i could install openbsd, but it doesn't support trim for ssd.

is this needed on modern SSDs? i thought most had junk collection built in to the firmware. i haven't noticed any slowdown on mine, it's an intel one from about four years ago.

Maybe running PHP as root on your edge gateway device isn't the best idea...

>FreebSD has made quite some progress (especially in v11)

like what? i read the release notes page and saw almost nothing related to security.

aren't portsnap and freebsd_update still vulnerable to KNOWN exploits that were brought up months ago?

pfsense and freebsd run a version of pf that's almost eight years old now, buddy.

>sshd
I hope you're using lsh instead of OpenSSH since you hate OpenBSD so much.

yup and thats why pfsense should be openbsd based

what piece of software or operating system doesn't have attack vectors?

probably known. how easy it is to excute an attack on an operating system linux or windows? probably easier on windows as it's more commonly used.

is linux more secure then windows or is the inverse true?

bookmarked
ASLR. HardenedBeniS'D maybe knew it already.
>what piece of software or operating system doesn't have attack vectors?
Glorious TempleOS.

hardenedbsd is not freebsd and their changes won't be merged back upstream. it's not quite the same. freebsd has made NO improvements in this area since that 2013 video.

Ask for Genuine Microsoft Software.

install gentoo

we are talking about openbsd, the OS. the tools are... well, that, tools.