Thread Tools
Old January 5, 2004, 17:46   #1
Asher
Apolytoners Hall of Fame
President of the OT
 
Asher's Avatar
 
Local Time: 09:39
Local Date: November 2, 2010
Join Date: Nov 1999
Location: Calgary, Alberta
Posts: 40,843
Oh noooo, more Linux vulnerabilities...now without testing
Yet another couple vunerabilities for the Linux kernel. Pretty astonishing there are so many considering that it is so secure.

Apparently they also don't test these fixes very well. They attribute their ability to get releases out quickly to their being open source, but anyone could release the fixes so early. The reason they're going out so early is they don't do testing, let alone the large-scale testing corporations like MS have to do on patches.

http://news.com.com/2100-1002_3-5135...l?tag=nefd_top

Quote:
Security flaws force Linux kernel upgrade
Last modified: January 5, 2004, 11:34 AM PST
By Robert Lemos
Staff Writer, CNET News.com

Open-source developers released a new version of the Linux kernel Monday in a move aimed at quickly fixing several bugs--among them two serious security flaws.

The 2.4.24 upgrade to the Linux kernel comes a month after the release of the previous version of the core system software and only includes patches for six software issues, including the two flaws.

The release is intended to prompt users to upgrade quickly, said Marcelo Tosatti, the maintainer of the 2.4 kernel series and a Linux developer for data center management company Cyclades.

"These security issues need to be fixed as soon as possible," Tosatti told CNET News.com in an interview Monday. As maintainer, Tosatti decides what changes can be made to the kernel and when to release new versions of the core system software for Linux.

The most serious flaw, which occurs in a function used by virtual memory, resembles a vulnerability fixed in late November that had been exploited by unknown attackers to control several key Linux servers open-source developers use. Both flaws allow an intruder to increase the privileges of a normal user account to the same level as the system's owner.

Tosatti said that once it became clear that the latest flaw could be used to circumvent security on Linux systems, he and other developers decided to immediately release the fixes. The move follows decisions by the kernel developers to curtail new features in the 2.4 kernel series in order to get developers and users to move to the next generation of core Linux software, the 2.6 kernel. The final set of features that had been intended for this release of the kernel have been postponed until the next version, he said.

"It is good that I have the ability--because this is open source--to release the code so quickly," Tosatti said.

The second security flaw results in a device driver problem that could allow an intruder to read some memory the kernel uses.

The latest version of the kernel can be downloaded from Kernel.org. Patches for specific Linux distributions can be downloaded from their developers.
This is what you call Trustworthy Computing.
Asher is offline  
Old January 5, 2004, 17:51   #2
VJ
King
 
VJ's Avatar
 
Local Time: 15:39
Local Date: November 2, 2010
Join Date: Dec 2001
Location: Helsinki
Posts: 2,247
Linux vulnerable. Linux bad! Linux users, don't use Linux! Switch to Microsoft! We MS-users, and especially I, with my glorious Windows Millenium Edition, have much better, and more trustworthy, OS's!
VJ is offline  
Old January 5, 2004, 17:58   #3
Asher
Apolytoners Hall of Fame
President of the OT
 
Asher's Avatar
 
Local Time: 09:39
Local Date: November 2, 2010
Join Date: Nov 1999
Location: Calgary, Alberta
Posts: 40,843
Hooray!
__________________
"I'll never doubt you again when it comes to hockey, [Prince] Asher." - Guynemer
Asher is offline  
Old January 5, 2004, 17:59   #4
Boris Godunov
Civilization II MultiplayerApolytoners Hall of FameCivilization IV: Multiplayer
Emperor
 
Boris Godunov's Avatar
 
Local Time: 08:39
Local Date: November 2, 2010
Join Date: Aug 2001
Location: Portland, OR
Posts: 4,412
Quote:
Originally posted by VJ
glorious Windows Millenium Edition
If I were drinking a glass of milk, I would have spit it across the room.
__________________
Tutto nel mondo è burla
Boris Godunov is offline  
Old January 5, 2004, 18:30   #5
Paul Hanson
King
 
Paul Hanson's Avatar
 
Local Time: 16:39
Local Date: November 2, 2010
Join Date: Aug 1999
Location: Dilbert
Posts: 1,839
People ought to use AmigaOS. Doesn't have any of these nasty security vulnerablilities, or, for that matter, any viruses out there that affect it.

Then again, you'd need an Amiga to run it.
__________________
"Paul Hanson, you should give Gibraltar back to the Spanish" - Paiktis, dramatically over-estimating my influence in diplomatic circles.

Eyewerks - you know you want to visit. No really, you do. Go on, click me.
Paul Hanson is offline  
Old January 5, 2004, 18:33   #6
laurentius
Civilization II MultiplayerApolyton Storywriters' GuildACDG The Cybernetic ConsciousnessDiplomacyAlpha Centauri PBEMAlpha Centauri Democracy GameACDG Planet University of TechnologyNever Ending StoriesACDG PeaceACDG3 GaiansMacC4DG Team Alpha Centaurians
King
 
laurentius's Avatar
 
Local Time: 17:39
Local Date: November 2, 2010
Join Date: Jun 2001
Location: of genial epicuri
Posts: 1,570
Still love your avatar VJ, its the best!
__________________
Que l’Univers n’est qu’un défaut dans la pureté de Non-être.

- Paul Valery
laurentius is offline  
Old January 5, 2004, 19:41   #7
Alex
Emperor
 
Alex's Avatar
 
Local Time: 12:39
Local Date: November 2, 2010
Join Date: Mar 1999
Location: Brasil
Posts: 3,958
Re: Oh noooo, more Linux vulnerabilities...now without testing
Quote:
Originally posted by Asher

The reason they're going out so early is they don't do testing, let alone the large-scale testing corporations like MS have to do on patches.
Apparently this large-scale testing has not been of much use either...
__________________
'Yep, I've been drinking again.'
Alex is offline  
Old January 5, 2004, 20:08   #8
Hueij
Emperor
 
Hueij's Avatar
 
Local Time: 17:39
Local Date: November 2, 2010
Join Date: May 1999
Location: Kokonino Kounty
Posts: 4,263
Quote:
the large-scale testing corporations like MS have to do
Poor MicroDoze...
__________________
Within weeks they'll be re-opening the shipyards
And notifying the next of kin
Once again...
Hueij is offline  
Old January 5, 2004, 20:28   #9
Asher
Apolytoners Hall of Fame
President of the OT
 
Asher's Avatar
 
Local Time: 09:39
Local Date: November 2, 2010
Join Date: Nov 1999
Location: Calgary, Alberta
Posts: 40,843
MicroDoze...that one's so innovative it is neither insulting nor funny. Keep up the good work.
__________________
"I'll never doubt you again when it comes to hockey, [Prince] Asher." - Guynemer
Asher is offline  
Old January 5, 2004, 20:29   #10
Hueij
Emperor
 
Hueij's Avatar
 
Local Time: 17:39
Local Date: November 2, 2010
Join Date: May 1999
Location: Kokonino Kounty
Posts: 4,263
Quote:
Originally posted by Asher
MicroDoze...that one's so innovative it is neither insulting nor funny. Keep up the good work.
I know, just trying to keep the $ out of it
__________________
Within weeks they'll be re-opening the shipyards
And notifying the next of kin
Once again...
Hueij is offline  
Old January 5, 2004, 20:34   #11
Frozzy
PtWDG2 SunshineNationStatesCall To Power SuperLeague
Emperor
 
Frozzy's Avatar
 
Local Time: 03:39
Local Date: November 3, 2010
Join Date: Aug 2002
Location: Mad.
Posts: 4,142
MICRO$OFT $UXXOR$!!!!111!!!!111!!!1!

Why can't people just call it Microsoft? At least Windows users have the decency to call Linux Linux.
Frozzy is offline  
Old January 5, 2004, 20:39   #12
Asher
Apolytoners Hall of Fame
President of the OT
 
Asher's Avatar
 
Local Time: 09:39
Local Date: November 2, 2010
Join Date: Nov 1999
Location: Calgary, Alberta
Posts: 40,843
Because the people who hate Microsoft tend to be waiting to grow up still.

Imagine if people called Linux Linsux or Sinux.
__________________
"I'll never doubt you again when it comes to hockey, [Prince] Asher." - Guynemer
Asher is offline  
Old January 5, 2004, 20:46   #13
Provost Harrison
Apolytoners Hall of FameCivilization IV PBEMPolyCast Team
Deity
 
Provost Harrison's Avatar
 
Local Time: 16:39
Local Date: November 2, 2010
Join Date: Feb 2000
Location: Germans own my soul.
Posts: 14,861
Careful Hueij, Asher gets very protective of his precious
__________________
Speaking of Erith:

"It's not twinned with anywhere, but it does have a suicide pact with Dagenham" - Linda Smith
Provost Harrison is offline  
Old January 5, 2004, 22:07   #14
Alex
Emperor
 
Alex's Avatar
 
Local Time: 12:39
Local Date: November 2, 2010
Join Date: Mar 1999
Location: Brasil
Posts: 3,958
so the solution is to throw Bill Gates down into Mount Doom?
__________________
'Yep, I've been drinking again.'
Alex is offline  
Old January 5, 2004, 23:08   #15
Urban Ranger
NationStatesApolyton Storywriters' GuildNever Ending Stories
Deity
 
Urban Ranger's Avatar
 
Local Time: 23:39
Local Date: November 2, 2010
Join Date: May 1999
Location: The City State of Noosphere, CPA special envoy
Posts: 14,606
Quote:
Originally posted by VJ
Linux vulnerable. Linux bad! Linux users, don't use Linux! Switch to Microsoft! We MS-users, and especially I, with my glorious Windows Millenium Edition, have much better, and more trustworthy, OS's!
__________________
(\__/) 07/07/1937 - Never forget
(='.'=) "Claims demand evidence; extraordinary claims demand extraordinary evidence." -- Carl Sagan
(")_(") "Starting the fire from within."
Urban Ranger is offline  
Old January 5, 2004, 23:57   #16
mrmitchell
Civilization III Democracy GamePtWDG RoleplayCall to Power Democracy GameInterSite Democracy Game: Apolyton TeamNationStatesPtWDG2 Tabemono
King
 
mrmitchell's Avatar
 
Local Time: 09:39
Local Date: November 2, 2010
Join Date: Sep 2002
Posts: 2,394
Asher, I have said this before and I will repeat it, I was under the belief that the whole point behind Linux is that it's all open source, so within minutes of a bug's discovery you will have thousands of geeks fixing it and testing every possible issue.
__________________
meet the new boss, same as the old boss
mrmitchell is offline  
Old January 5, 2004, 23:59   #17
Urban Ranger
NationStatesApolyton Storywriters' GuildNever Ending Stories
Deity
 
Urban Ranger's Avatar
 
Local Time: 23:39
Local Date: November 2, 2010
Join Date: May 1999
Location: The City State of Noosphere, CPA special envoy
Posts: 14,606
Quote:
Originally posted by mrmitchell
Asher, I have said this before and I will repeat it, I was under the belief that the whole point behind Linux is that it's all open source, so within minutes of a bug's discovery you will have thousands of geeks fixing it and testing every possible issue.
As compared to MS's denying of any possible security flaws until somebody else posts solid evidence. Then it throws a tantrum and calls people names.
__________________
(\__/) 07/07/1937 - Never forget
(='.'=) "Claims demand evidence; extraordinary claims demand extraordinary evidence." -- Carl Sagan
(")_(") "Starting the fire from within."
Urban Ranger is offline  
Old January 6, 2004, 00:13   #18
ravagon
Scenario League / Civ2-Creation
King
 
Local Time: 23:39
Local Date: November 2, 2010
Join Date: Sep 1999
Location: Australia
Posts: 1,515
Quote:
Originally posted by Urban Ranger

As compared to MS's denying of any possible security flaws until somebody else posts solid evidence. Then it throws a tantrum and calls people names.
If such a flaw is exclusive to microsoft then Bill Gates must have an awful lot of offspring posting at Apolyton.
ravagon is offline  
Old January 6, 2004, 00:25   #19
Asher
Apolytoners Hall of Fame
President of the OT
 
Asher's Avatar
 
Local Time: 09:39
Local Date: November 2, 2010
Join Date: Nov 1999
Location: Calgary, Alberta
Posts: 40,843
Quote:
Originally posted by mrmitchell
Asher, I have said this before and I will repeat it, I was under the belief that the whole point behind Linux is that it's all open source, so within minutes of a bug's discovery you will have thousands of geeks fixing it and testing every possible issue.
That's fundamentally misinformed, in fact, it's downright naive. In any case, having thousands of geeks fixing a single thing would be a nightmare and would **** things up more than they fix it. How the Linux kernel works is different regular contributers are assigned different sections, not unlike a corporation with teams working on different components. When there's a security hole or bug found, that team is notified and they fix the bug and release it with minimal testing, if any at all. -- OR -- someone contributes a patch to fix it. But this RARELY happens, kernel code is incredibly complex and changing one single thing can have side-effects in countless other components, so very rarely does this happen -- most of the time the "owner" of the code fixes it.

As for thousands of geeks testing it -- no one tests it until its released. So when they release the patch, THEN it is tested -- not just by geeks, but whoever applies the latest patch.

The only difference between Open Source and Commercial development is Open Source people are not held personally responsible if a company applies the code and they lose tons of money in the process. Microsoft and others are liable for that to the tune of hundreds of millions, if not billions, of potential damage.

For this reason, Commercial software undergoes rigorous testing that takes weeks usually. If you've read any interviews with MS Security people responding to criticism, they'll confirm patches are written usually within the first 24-48 hours, but testing (and fixing any bugs that crop up in testing) takes weeks at least.

If anything, the Commerical software theoretically brings more secure code due to accountability for its actions. The problem is most people get confused because they don't understand why Windows is a far bigger hacker target than Linux or Apple systems, which is precisely why it usually has more reported bugs.

The more people you have blindly trying weird security crap on your code, the more likely someone is to find one.

It's simple logic, but it's evidently beyond the grasp of most *nix zealots.

Simply put, the concept of "thousands" of geeks on standby who are all intensely familiar with the code vulnerable is incredibly laughable. You're lucky to have one or two people who can fix that code reliably, and most of the Open Source people do not work on that code full time, it's a hobby for them. Further, they are not legally accountable for any damage their patch does to other components and how it affects people -- hence the lack of testing and quick response time.

It is NOT necessarily a positive how fast patches get released for Open Source. The people who think that need to do a bit more research and thinking...
Asher is offline  
Old January 6, 2004, 00:32   #20
Asher
Apolytoners Hall of Fame
President of the OT
 
Asher's Avatar
 
Local Time: 09:39
Local Date: November 2, 2010
Join Date: Nov 1999
Location: Calgary, Alberta
Posts: 40,843
Another laughable allegation about Open Source is "testing every possible situation". If you've ever used an Open Source environment like Linux, you'd realize pretty quickly that "testing every possible situation" is about the last thing they do. Open Source software is usually developed by people in their spare time, and as such it is designed for something they want to use.

It's obvious by looking at Linux -- it's clearly designed by geeks, for geeks. This doesn't relate directly to security, but it's the most obvious trait that Open Source software is not tested from every angle -- only from the angle of people who want to use it.

Why should people waste hundreds of their own hours testing obscure, weird situations for side-effects if they ain't getting paid for it? MS pays people to do that, hence the weeks of testing...

Most of the new stuff is automated, trying as many combinations of configurations as possible on tens of thousands of virtual computers. Open Source software also doesn't have those resources, usually.
__________________
"I'll never doubt you again when it comes to hockey, [Prince] Asher." - Guynemer
Asher is offline  
Old January 6, 2004, 00:37   #21
Spiffor
Civilization III Democracy GamePtWDG LegolandApolytoners Hall of Fame
 
Spiffor's Avatar
 
Local Time: 17:39
Local Date: November 2, 2010
Join Date: Nov 2001
Location: jihadding against Danish Feta
Posts: 6,182
Quote:
Originally posted by Asher
It's obvious by looking at Linux -- it's clearly designed by geeks, for geeks.
This is Linux's worst problem. It could be an excellent desktop OS very quickly if user-friendliness, and interface tweaks were valued in the community (i.e if you got real prestige from making another guy's program easy to use - for now, the prestige goes almost exclusively to the people developing code)
__________________
"I have been reading up on the universe and have come to the conclusion that the universe is a good thing." -- Dissident
"I never had the need to have a boner." -- Dissident
"I have never cut off my penis when I was upset over a girl." -- Dis
Spiffor is offline  
Old January 6, 2004, 01:12   #22
mrmitchell
Civilization III Democracy GamePtWDG RoleplayCall to Power Democracy GameInterSite Democracy Game: Apolyton TeamNationStatesPtWDG2 Tabemono
King
 
mrmitchell's Avatar
 
Local Time: 09:39
Local Date: November 2, 2010
Join Date: Sep 2002
Posts: 2,394
IOW, Asher, I draw these two points from your posts:

(1) Commercial software is accountable for its bugs.
So I could sue Microsoft the next time Office crashes and I lose my data?

(2) Linux is too complicated for a patch to be bug-free.
That's the problem with having a complicated, multi-use OS, and Windows probably has the same problem. On the one hand though the "Microsloth spends most of their time testing it" argument seems to check out. The solution for Linux might be to make a new kernel from scratch that's more efficient, but I know as much about Linux kernels as a spider knows about quantum physics, so maybe it won't happen.

The third minor point in your last post is that Linux won't break the desktop market because it's too geeky for the average consumer. I can't call BS, because the "average consumer" can barely work a TV remote control.
__________________
meet the new boss, same as the old boss
mrmitchell is offline  
Old January 6, 2004, 01:18   #23
Asher
Apolytoners Hall of Fame
President of the OT
 
Asher's Avatar
 
Local Time: 09:39
Local Date: November 2, 2010
Join Date: Nov 1999
Location: Calgary, Alberta
Posts: 40,843
Quote:
Originally posted by mrmitchell
(1) Commercial software is accountable for its bugs.
So I could sue Microsoft the next time Office crashes and I lose my data?
It's iffy for home users. IIRC, the EULA explicitly forbids that but it's never been challenged in court and some say it wouldn't hold in court.

For corporate users, Microsoft has an "insurance" policy of sorts for security/bugs causing damage or otherwise loss of income for the company. This is the big one.

Quote:
(2) Linux is too complicated for a patch to be bug-free.
That's the problem with having a complicated, multi-use OS, and Windows probably has the same problem. On the one hand though the "Microsloth spends most of their time testing it" argument seems to check out. The solution for Linux might be to make a new kernel from scratch that's more efficient, but I know as much about Linux kernels as a spider knows about quantum physics, so maybe it won't happen.
It's not an inherent problem with how it's designed (or actually it might be, Linux is a monolithic kernel which academics have declared obsolete over a decade ago, but that's another debate...). The problem is, too few people are qualified to provide the patches. A comparable number of people can successfully patch bugs in Windows and Linux kernels. The thing is, the Windows people are usually paid to do this full time while the Linux people are not. Further, Windows patches are put through extensive testings by paid software engineers while Linux is not.

Quote:
The third minor point in your last post is that Linux won't break the desktop market because it's too geeky for the average consumer. I can't call BS, because the "average consumer" can barely work a TV remote control.
The "average consumer" can barely work Windows, too. But they're getting more and more used to it.

Linux is nowhere near being usable for them, and by the time it is (assuming it does get there), you'd have a hard time telling 80% of the people to retrain once again to use this other system when the one they have does the job just fine.

It's the kind of futility and realism that people like Urban Ranger just don't wanna face.
Asher is offline  
Old January 6, 2004, 13:18   #24
optimus2861
Chieftain
 
Local Time: 11:39
Local Date: November 2, 2010
Join Date: Nov 2000
Location: Halifax, NS
Posts: 58
Quote:
Originally posted by Asher
The only difference between Open Source and Commercial development is Open Source people are not held personally responsible if a company applies the code and they lose tons of money in the process. Microsoft and others are liable for that to the tune of hundreds of millions, if not billions, of potential damage.
AHAHAHAHAHAHAHAHAHAHAHAHAH!

Oh, forgive me, my gut hurts. That sounds like the SCO FUD about "indemnification" being so important these days, when nobody in the software industry practices it anyway (including SCO).

I realize later in the thread you state that the "no warranty, no liability" clause may not hold up in court, but -- come on, if someone were going to sue Microsoft for damages from case after case of virus/worm outbreaks, don't you think it would have happened by now? Plus, in the case of corporate software licenses, where the license is negotiated & agreed to before the software is purchased, the "no warranty, no liability" clause almost certainly will hold up as the license (contract) was entered into freely by both parties. The party seeking liability on MS's behalf can certainly ask MS for it, and probably watch the per-seat cost of MS software explode dramatically upward in response.

Honestly -- when have you ever heard of Microsoft indemnifying its end-users, in any industry, of any size, from any potential software faults? If they were, you'd think they'd be blaring it from the hilltops as something that they do that Linux vendors don't/won't. They're not. Because they don't.

Ultimately I think it'll take legislation before any software vendors actually become generally legally liable for software faults -- they'll continue to hide behind licenses that disclaim all warranties & liabilites, and they'll get held up under contract law. Both commercial and open-source vendors work this way.

Quote:
If anything, the Commerical software theoretically brings more secure code due to accountability for its actions.
(word-substitution)
If anything, the Open-Source software theoretically brings more secure code due to the inability of the coders to hide their code from any outside inspection.
(/word-substitution)

Both theories can be argued at great length (OSS argument), and there's no definitive conclusion. It'd be dishonest to suggest otherwise.

Quote:
Further, they are not legally accountable for any damage their patch does to other components and how it affects people -- hence the lack of testing and quick response time.
Microsoft isn't legally liable either. That's the current state of affairs. Deny it if you wish, but you'd only be denying reality.
__________________
"If you doubt that an infinite number of monkeys at an infinite number of typewriters would eventually produce the combined works of Shakespeare, consider: it only took 30 billion monkeys and no typewriters." - Unknown
optimus2861 is offline  
 

Bookmarks

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On

Forum Jump


All times are GMT -4. The time now is 11:39.


Design by Vjacheslav Trushkin, color scheme by ColorizeIt!.
Powered by vBulletin® Version 3.8.2
Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.
Apolyton Civilization Site | Copyright © The Apolyton Team