Die-hard bug bytes Linux kernel for second time • The Register Forums

Wednesday 15th September 2010 19:37 GMT K. Adams

** Sigh **

This is what happens when you develop an operating system that purports to work "the same" across multiple architectures: It doesn't.

By looking at the code for both the bug and the exploit, they each appear to be heavily x86-32/x86-64 dependent.

I would venture that there is a high degree of probability that this bug/exploit combination does not exist, for example, in versions of the Linux kernel developed and compiled for IBM's midrange (AS/400 / System i / System p) and mainframe (S/390 / System z) iron, in versions of the kernel developed to work on Cell-based parallel processing systems, or in versions compiled against SPARC machines.

This leads me to believe that it is perhaps the x86-32/x86-64 architecture that is at fault, at some lower level, for not properly securing access to 32-bit facilities provided by 64-bit processors. This kind of bug could **conceivably** be used to compromise Linux-based x86 hypervisors, by allowing an intruder to context-switch out of the virtual machine and into the host OS.

Granted, the fact that a regression of this magnitude was re-introduced into the Linux kernel is regrettable, but it isn't difficult to understand how such a mistake can be made, given the kernel's rather heterogeneous target audience. No one person, or group of persons, can be an expert on all of the different processor architectures supported by the Linux kernel.

6 1
1. Thursday 16th September 2010 09:04 GMT Displacement Activity
  
  No frickin title
  
  "This leads me to believe that it is perhaps the x86-32/x86-64 architecture that is at fault, at some lower level, for not properly securing access to 32-bit facilities provided by 64-bit processors".
  
  I have a different suspicion, having just written (with some difficulty) a device driver that runs on i686("x86_32")/PAE. It turns out that, on x86, a significant portion of the driver core was written specifically on the x86_64 branch, completely separately from mainline x86. It wasn't back-ported, and x86_32 has significant problems, particularly if you're on PAE. This is made much worse by the fact that the 'documentation' and the relevant book are several years old, and talk extensively about features which the reader assumes will exist on any current kernel, but which in fact didn't work on the most common port at the time, and still don't.
  
  In short, I'd be surprised if the processor is the problem here. Linux is my preferred OS, but it's obvious that there are significant management failings in the kernel development.
  
  3 0
2. Thursday 16th September 2010 12:55 GMT No, I will not fix your computer
  
  But....
  
  You're assuming that IBM/SunOracle by default would be "safe" by virtue of being different, this is an argument from obscurity, in reality the is more scruitiny of x86/x64 because of the availability and number of installations so issues are more likely to be found, these less common architectures aren't somehow magic. I would concur that this particular bug/exploit/weakness probably doesn't exist (byte order might, for example affect it), but that doesn't mean there isn't something unique to these architectures that x86 doesn't have.
  
  The "heterogeneous target" excuse is also faulty, for example, the 10 year old bug in SPARC Solaris that allowed direct root login using telnet was re-introduced into Solaris 10, OK telnet is old hat and probably not active on most Solaris 10 installs, but it's just a well publicised example.
  
  1 0
  1. Thursday 16th September 2010 16:06 GMT K. Adams
    
    Being different
    
    > You're assuming that IBM/SunOracle by default would be "safe" by virtue of being different...
    
    In this case, yes. Given an examination of the code, there seem to be a considerable number of explicit references to x86-32-specific and x86-64-specific registers and features (%rax, %eax, %ecx, %edx, %rsp, etc.), which would obviously not exist on POWER or SPARC architecture CPUs.
    
    > The "heterogeneous target" excuse is also faulty, for example, the 10 year old bug in SPARC Solaris that allowed direct root login using telnet was re-introduced into Solaris 10
    
    I disagree on this point. telnet is an application, and so is not inherently architecture-dependent at the source-code level.
    
    The x86-32/x86-64 call stack translation subsystem, being a hardware-oriented component of the Linux kernel specific to the x86 architecture, **is** architecture-dependent at the source-code level. This makes it very likely that this bug would not be reproduced in Linux kernels compiled against other CPU types.
    
    0 0
Wednesday 15th September 2010 19:37 GMT Steen Hive

You know the noise "facepalm" makes?

*Thunk*

4 2
1. Wednesday 15th September 2010 21:23 GMT Tom Maddox
  
  Sort of
  
  That's really more of a *headdesk*.
  
  2 0
Wednesday 15th September 2010 19:43 GMT xj25vm

Title

"This is true, but the existence of vulnerabilities like these are a big deal in corporate, government and educational environments, where Linux is a mainstay. "

Well, I find the above flattering to the Linux community. Which is great. But can it be supported with some proof? Wouldn't something like "where Linux has a significant user base" or "where Linux is deployed in significant numbers" been a more defensible position?

1 0
1. Wednesday 15th September 2010 22:47 GMT Anonymous Coward
  
  Linux IS A Mainstay
  
  Deutsche Börse - leading derivatives platform - soon all Linux
  
  Google - all Linux
  
  Facebook - all Linux
  
  CERN - leading end-the-world-fear-attractor/Master Proton Smasher - all Linux
  
  Android - Linux
  
  countless faceless devices like DSL routers - Linux
  
  Even though the financial sector has the money to buy from IBM and MS, they have discovered that it makes much more sense to go with the Google approach (hire smart and expensive people, use Linux and other FOSS).
  
  Adobe, MS and Oracle demonstrated this year that their ability to adapt and fix problems is comparable to the ability of a slug to cross a highway. Eventually they will make it.
  
  Linux fixes exploits in two days, normally. Now somebody fixed Adobe's crap with a hex editor. They don't manage even though they have the source. I guess their developers don't have time for that because they busily update their "personal performance metrics and professional development" Excel sheet. If they are not held up by a "global business intelligence meeting". Or by fixing their Visual SourceSafe code-fermentization&decomposition facility.
  
  I once worked for Quark, and they did use VSS.
  
  20 3
  1. Thursday 16th September 2010 12:27 GMT Anonymous Coward
    
    @Strongtype
    
    Can you cite a few sources for your linux use? I know for a fact that Google are pretty heavy Windows users, their servers may well be linux, but do you remember the rather large hack from China earlier in the year?
    
    1 3
    1. Thursday 16th September 2010 13:31 GMT Anonymous Coward
      
      CERN and Other Scientific Linux Users
      
      http://blog.internetnews.com/skerner/2008/09/large-hadron-collider---powere.html
      
      http://linux.web.cern.ch/linux/scientific5/
      
      https://www.scientificlinux.org/
      
      In General
      
      http://en.wikipedia.org/wiki/Supercomputer
      
      0 0
    2. Thursday 16th September 2010 14:34 GMT Anonymous Coward
      
      Google and Linux
      
      AFAIK, all servers at Google are Linux. I interviewed with them and Windows was never asked about. But questions like "how do you kill a process if the max number of processes is executing" ?
      
      http://en.wikipedia.org/wiki/Google_platform
      
      http://www.cs.wpi.edu/~cs4241/2000d/class11.pdf
      
      http://rakaposhi.eas.asu.edu/f02-cse494-mailarchive/msg00138.html
      
      http://video.google.de/videoplay?docid=3526134640911302384&q=google+cluster+site:video.google.com&total=579&start=0&num=10&so=0&type=search&plindex=0#
      
      http://uwtv.org/programs/displayevent.aspx?rid=2879
      
      0 2
    3. Thursday 16th September 2010 14:34 GMT Anonymous Coward
      
      Facebook & Linux
      
      http://www.sysadminslife.com/linux/facebook-ein-blick-hinter-die-kulissen-und-in-das-komplexe-system/
      
      0 0
    4. Thursday 16th September 2010 14:34 GMT Anonymous Coward
      
      Tokio Stock Exchange
      
      http://www.golem.de/1003/74009.html
      
      0 0
    5. Thursday 16th September 2010 14:34 GMT Anonymous Coward
      
      Deutsche Börse & Linux
      
      http://blogs.computerworld.com/14637/linux_powers_worlds_fastest_stock_exchange
      
      http://customers.redhat.com/2010/03/03/deutsche-boerse-red-hat-mrg-case-study/
      
      http://www.computerwoche.de/software/software-infrastruktur/1904146/
      
      0 0
    6. Thursday 16th September 2010 16:37 GMT Tom 13
      
      @Fraser: Don't need a source, just a brain.
      
      Given the kind of computing power needed to do the indexing Google does to support as many users as Google does, if they were paying MS for even a significant minority of their servers, MS would be a far more profitable company than it is.
      
      0 0
    7. Thursday 16th September 2010 20:49 GMT Stephen Bungay
      
      Some sources of Info...
      
      @ Fraser
      
      As I understand it the hack attack on Google was not their public search engine servers et all but against the corporate infrastructure, i.e. the network of desktop machines used in the corporate offices. See http://techcrunch.com/2010/01/12/google-china-attacks.
      
      Google has also been reported to be kicking Windows to the curb in its corporate infrastructure. See
      
      http://www.zdnet.com/blog/btl/google-dumps-windows-is-microsofts-os-headed-down-a-troubled-path/35212
      
      for more on that one.
      
      0 0
      1. Friday 17th September 2010 15:24 GMT Anonymous Coward
        
        Err...
        
        @Tom - I do have a brain, my brain says to me that the hack of Windows machines that was plastered all over the Internet a few months ago suggests that Google are Windows users. I made no statement suggesting that they are exclusively Windows users, which would be idiotic as they are obviously heavy Linux users. Many companies run heterogeneous networks, it's very rare to find companies which use a single OS/Hardware platform.
        
        @Stephen - Thanks for the serious reply...
        
        0 1
Wednesday 15th September 2010 19:43 GMT frymaster

"valid account on the machine" is stretching things a bit

let's say your linux PC is a mail server, and it scans incoming mail for viruses. Let's also say there's a bug with the archive tool you use, meaning a malformed archive can be used to execute code on the machine (it's happened)

congratulations, you now have a "valid account on the machine" and can use this exploit. see also: anything that manipulates images, and a malformed image, etc. etc. etc.

you don't need to have SSH access; you just need to be able to run commands on the machine

2 4
Wednesday 15th September 2010 19:47 GMT Cyfaill

linux kernel

Grows and changes every three-ish months.

Not to diminish this as having significance, but the Linux kernel is the largest software project on earth... it is always changing... that kind of makes it a moving target as far as exploits are concerned.

Currently it is at 2.6.35.x I think. The system is inherently safe anyway.

4 14
1. Wednesday 15th September 2010 21:23 GMT K. Adams
  
  Inherently wha?
  
  > The system is inherently safe anyway.
  
  Huh?
  
  Not sure what you mean by that... No computer operating system, application, or platform can be called "inherently safe" unless it was specifically designed for safety from the ground-up. Very few general-purpose, consumer- and commercial-grade operating systems and platforms fall into this category.
  
  Telco-grade Class 4 (4ESS) and Class 5 (5ESS) circuit switching equipment, certain automated railroad signalling systems, some types of industrial control equipment, and various medical device control systems fall may fall into the "inherently safe" category, but your home or office PC, even if it runs Linux, most assuredly does not.
  
  I'm an ardent GNU/Linux supporter, and have been using it almost exclusively as my OS of choice for the better part of 10 years now (none of my home PCs run Windows or Mac OS X). Even so, I would be foolhardy if I trusted it to be "inherently safe."
  
  While I do believe that GNU/Linux-based operating systems are **safer** in many ways than Windows and Mac OS X, I have seen my share of GNU/Linux boxes crash-and-burn (figuratively) because of poor configuration, lackadaisical patching, improper oversight, and yes, even the not-so-occasional bugs (both new and regressed).
  
  13 0
2. Wednesday 15th September 2010 21:23 GMT bazza
  
  Duh?
  
  > The system is inherently safe anyway.
  
  Urrrrm, not.
  
  You're not related to Steve Jobs are you?
  
  4 0
3. Wednesday 15th September 2010 21:53 GMT K. Adams
  
  General purpose, inherent safety
  
  To clarify my earlier position: That is not to say that general-purpose computing systems with inherent safety don't exist. They do; they're just not very common.
  
  One general-purpose computer design that **may** be considered "inherently safe" -- if properly implemented -- is a so-called "Harvard architecture" machine. This type of computer has physically separate data and code (program) buses and memories, so data can't grow to overwrite code, and code can't grow to overwrite data. The IBM ASCC/Harvard Mark I was the basis for this type of design. Modern examples of this kind of architecture include embedded systems based around AVR (Atmel Corp) and PIC (Microchip Technology, Inc.) microcontrollers.
  
  1 1
  1. Thursday 16th September 2010 09:19 GMT AOD
    
    RE: General purpose, inherent safety
    
    There have been some more general purpose examples of "Harvard architecture" machines, one example was the souped up StrongARM cpu released for the Acorn RiscPC.
    
    I remember at the time a number of apps/utilities falling over as their self-modifying code tricks would no longer work (one legit use was executables that would self decompress and run back when hard drive space was a lot pricier).
    
    I don't know if any of the subsequent ARM designs continued to make use of this or not.
    
    0 0
    1. Thursday 16th September 2010 12:40 GMT Charles 9
      
      To answer your question...
      
      The ARM7 is von Neumann; the ARM9 is Harvard.
      
      Just-In-Time Compilation is a modern case which Harvard architectures can't handle, either. Basically, any program that builds or modifies code to be executed on the fly (IOW, a program that necessarily blurs the code/data divide) cannot work in a Harvard architecture.
      
      0 0
  2. Thursday 16th September 2010 12:40 GMT Anonymous Coward
    
    Nope
    
    Your Stack is still unprotected, as the program *must* be able to change it. It is a bit more complicated, but still possible. Stack smashing does not necessarily include injecting machine code.
    
    Simple Example:
    
    there is a
    
    int exec_shell(char* cmd);
    
    function. All you have got to manage is to put "rm -rf /" on the stack, change the return address to the function above and you are set to delete the whole file system of that machine (assuming it is a root process).
    
    This is just one of the simple examples, btw.
    
    0 0
  3. Thursday 16th September 2010 15:33 GMT foederati
    
    Harvard architectures are not guaranteed-secure
    
    Just because the data and code memory sections do not overlap does not mean it is impossible to attack a Harvard architecture machine. While they make it much less likely to *accidentally* break the machine by overwriting code, it is still possible to use code that already exists to form programs. For instance, appropriately changing function return addresses to take you into very specific parts of known libraries, then forming those bits of known code into programs.
    
    For reference, see "Code Injection Attacks on Harvard-Architecture Devices" by Francillon and Castelluccia at the 2008 ACM Computer and Communications Security Conference. You might also be interested in looking into return oriented programming, e.g. "The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)" by Hovav Shacham at CCS 2007.
    
    0 0
    1. Thursday 16th September 2010 20:49 GMT K. Adams
      
      Conditionals
      
      > Just because the data and code memory sections do not overlap does not mean it is impossible to attack a Harvard architecture machine.
      
      I never indicated that attacking a Harvard architecture machine was impossible. I indicated that Harvard machines may be considered "inherently safe," depending on implementation.
      
      Hence the " **may** be considered 'inherently safe' -- if properly implemented " bit.
      
      It should be kept in mind that some of the more modern Harvard architecture machines are microcontrollers in embedded systems, which are (generally) more readily hardened against code infiltration and code rewriting attacks, by virtue of requiring the chip containing the software to be physically removed and mounted in an EEPROM programmer to modify the programs stored within.
      
      However, even this level of protection only gets you so far. Not even a Harvard machine will stand up to a highly sophisticated attack, if the attacker can gain access to the processor's address and data buses, divert the bitstreams to an external system for processing and analysis, then inject specially-crafted data back into the system.
      
      A given system can therefore only be considered "inherently safe" with regard to the purpose for which it is designed. A microcontroller implementation which is suitable for telco use, and considered "inherently safe" by the telecom industry, may not be suitable for running a nuclear missile launch control system. The device is thus "inherently safe" for one application, but not another.
      
      0 0
4. Thursday 16th September 2010 09:14 GMT some vaguely opinionated bloke
  
  what version?
  
  "... the Linux kernel is the largest software project on earth... it is always changing... that kind of makes it a moving target as far as exploits are concerned."
  
  Yes indeed, if all existing installations are patched or upgraded as soon as the new version is available.
  
  What percentage of installations still use the original vulnerable kernel? What percentage use the first fixed kernel? What percentage use the second vulnerable kernel? What percentage are going to be patched today with the fixed fixed kernel?
  
  How many users (home or business) actually upgrade the kernel every three-ish months?
  
  It might be a moving target, but if it's a mile long it takes a minute to pass through your sights at 60mph... plenty of time to get quite a few shots off...
  
  3 0
  1. Thursday 16th September 2010 17:37 GMT Keith Williams
    
    title, I don't need no frackin' title
    
    1/2 mile @ 60mph=1/2 minute
    
    0 0
  2. Friday 17th September 2010 13:26 GMT ejmarkow
    
    Patch Promptly Applied
    
    > Yes indeed, if all existing installations are patched or upgraded as soon as the new version is available.
    
    Patch applied and kernel upgraded.
    
    [ejm@Galicja ~]$ uname -a
    
    Linux Galicja 2.6.36-rc4-git3-ARCHMOD #1 PREEMPT Fri Sep 17 13:17:59 CEST 2010 x86_64 Genuine Intel(R) CPU 575 @ 2.00GHz GenuineIntel GNU/Linux
    
    It was a cake walk!
    
    > How many users (home or business) actually upgrade the kernel every three-ish months?
    
    I upgrade almost every time a significant patch comes along, and that can be once per week.
    
    0 0
5. Friday 17th September 2010 12:29 GMT ejmarkow
  
  Current Linux Version
  
  > Currently it is at 2.6.35.x I think.
  
  Actually, as of today (Friday, September 17, 2010), the current version is:
  
  Linux Kernel 2.6.36-rc4-git3 (includes the patches for the most recent exploit)
  
  I just downloaded applied the patch, compiled and installed it on my box.
  
  [ejm@Galicja ~]$ uname -a
  
  Linux Galicja 2.6.36-rc4-git3-ARCHMOD #1 PREEMPT Fri Sep 17 13:17:59 CEST 2010 x86_64 Genuine Intel(R) CPU 575 @ 2.00GHz GenuineIntel GNU/Linux
  
  0 0
Wednesday 15th September 2010 20:18 GMT cor

Yawn....

Maybe we should just make the kernel 'closed source' and then no-one would ever know about vulnerabilities.

Amazing how the cliky-clicky brigade gets all horny when a weakness in Linux is exposed.

Get a life. :)

10 5
1. Wednesday 15th September 2010 21:54 GMT Antidisestablishmentarianist
  
  Awwww
  
  is the poor little linux boy getting upset because someone is getting a taste of the same medicine every other OS gets when a fault is found.....
  
  Be careful getting off your high horse - it's a long way down.
  
  9 12
  1. Thursday 16th September 2010 12:54 GMT JEDIDIAH
    
    A Bug versus a Virus.
    
    > is the poor little linux boy getting upset because someone is
    
    > getting a taste of the same medicine every other OS gets
    
    > when a fault is found.....
    
    It's not the same "medicine" at all.
    
    When Windows has a problem it's usually much more meaningful and real malware is released to the wild and people's systems actually get infected. The architecture of the system makes a bug like this far less dangerous.
    
    Local root exploits are as old as Unix and predate Linux entirely.
    
    2 1
  2. Thursday 16th September 2010 16:06 GMT kissingthecarpet
    
    its a legitimate point
    
    No, the point he's making is that other OS's try to hide their crap code by keeping it secret.
    
    By the way, if you have no strong views on the CofE being established or not, then your handle is a bit sad. I think I've made a similar point to you in the past. You do know what your handle refers to, I presume?
    
    My handle, however, refers to something that I do frequently, one way or another.
    
    1 0
2. Wednesday 15th September 2010 21:55 GMT CapitalW
  
  [Imagine catchy title here]
  
  Being closed source hasn't kept Windows vulnerabilities from being made public..... Malware developers don't let a simple license clause making it illegal to disassemble code slow them down.
  
  No matter what the OS, there will be vulnerabilities; even the old VIC-20 and C64 had their weak spots that would render them useless permanently.
  
  I prefer using Linux over any other OS, but don't operate under a delusion that it is 100% safe. Among the reasons I am such a fan of Linux and other open source software is that I love to play around with the code under the hood.
  
  5 0
3. Thursday 16th September 2010 12:30 GMT Wize
  
  Being open source...
  
  ...shouldn't this have been found and patched ages ago?
  
  Oh wait, it was.
  
  2 1
Wednesday 15th September 2010 20:18 GMT Anonymous Coward

Linux fans

"No doubt, Linux fans will be quick to point out that the bug can be exploited only by those with a valid account on a targeted machine in the first place."

This Linux fan tells you that it's a valid point, no matter you try to bashing it. Do you want to discuss the Print Spooler privilege escalation bug on Windows XP? I'm asking it because the existence of vulnerabilities like these are a big deal in corporate, government and educational environments. Sigh...

Are the Windows "news" of critical bugs boring nowadays?

3 1
1. Thursday 16th September 2010 23:00 GMT Anonymous Coward
  
  Someone help me out here
  
  ...but is there even coverage on privilege escalation issues inside Windows?
  
  I don't think there was any to-do being made after this Defcon presentation (http://vimeo.com/14581715) and, unless I missed something, there isn't any current defense against the escalation exploits much less "fixes".
  
  Maybe I'm off base with that statement. I know the guys had practiced their demo, I know they could break into lots of things - including Linux - but the way they described what they were doing with Powershell appeared to indicate that there was a huge hole allowing you to do pretty much whatever you wanted once you authenticated.
  
  0 0
Wednesday 15th September 2010 20:30 GMT Tom Chiverton 1

Gee

Gee, thanks Red Hay. Nice one.

0 0
Wednesday 15th September 2010 20:44 GMT Anonymous Coward

Largest? Really?

RE: t"he Linux kernel is the largest software project on earth."

I've never heard that before, is it true or just something that seemed cool to write?

1 1
1. Wednesday 15th September 2010 23:06 GMT Tim Parker
  
  Re : Largest? Really?
  
  "I've never heard that before, is it true"
  
  No. The latest release (2.6.35) has about 13.5 million lines of (non-documentation) code in it however, so it is quite substantial.
  
  " or just something that seemed cool to write?"
  
  Probably.
  
  0 0
  1. Thursday 16th September 2010 10:57 GMT Daren Nestor
    
    Or is it?
    
    If you think of the number of developers working on it, and the length it's been running as well as the code size, it might well qualify
    
    3 0
  2. Thursday 16th September 2010 12:24 GMT Anonymous Coward
    
    Jeez...
    
    That's some serious bloatware. No wonder they keep finding these bugs. Let's hope it never really goes mainstream or we could be in some big shit,.
    
    1 5
Wednesday 15th September 2010 21:26 GMT captain_solo

Open = Secure?

Its an operating system. Bugs are part of the process, as are security vulnerabilities. Fortunately the Unix/Linux/Mac world is built on an inherently secure foundation (which is why in almost every corporate, government, and education environment some distant relative of BSD System V has a significant installed base) and why these vulnerabilities are rarely seen in the wild - it still happens and part of the inherent security is the relatively small adoption among non-technical users. Windows might be more vulnerable indeed, but its vulnerability is heightened by the large numbers of users not regularly patching, and not using security software which the OS developer says is needed, its part of their security strategy like it or not. I don't think Linux is the second coming of anything, but this is just one of those things that happens during the process, not worth going all chicken little about.

2 0
1. Monday 20th September 2010 09:15 GMT tropic_elf
  
  Inherently secure
  
  Mr/Ms/Mrs/Dolphin captain_solo, it would really help your case if you didn't just *say* that unix-clones are inherently secure, but also provided some *evidence* of this Inherent Security.
  
  0 0
Wednesday 15th September 2010 21:54 GMT Homard

Sounds like a code fork BORK

All multideveloper code has forks all over the place.

Something has happened to allow this bug back in to the codebase. The question is what ? Across the board the fact that this is not a frequent issue indicates the codebase management tools are pretty good.

Sheesh I can't even manage my own projects properly ! Or maybe I just can't program very well.

Who am I to criticise ?

4 0
1. Thursday 16th September 2010 01:05 GMT sT0rNG b4R3 duRiD
  
  FAIL
  
  Yes, this is indeed a problem
  
  We should not look at *JUST* the bug but *HOW* it was allowed to happen and try and put safeguards against such a future recurrence.
  
  Human beings will always make mistakes but we should try and minimize them.
  
  One cannot deny this was sloppy.
  
  However, one should look at the positive side of it. The bug currently in question was found and reported because someone out there could look at the source. And there are people out there constantly looking at it. It is definitely a plus that we can do this.
  
  Who knows how many bugs remain hidden in, for example, windows because it is still closed?
  
  4 0
Wednesday 15th September 2010 23:07 GMT Anonymous Coward

we think a measured WTF is in order.

Is this official El Reg policy?

2 0
1. Thursday 16th September 2010 09:14 GMT some vaguely opinionated bloke
  
  furthermore,
  
  ... what is the accepted unit of WTF with which it should be measured?
  
  (icon is apt though not in the way originally intended)
  
  1 0
  1. Thursday 16th September 2010 12:30 GMT Wize
    
    You'd need to define a unit of WTF-age
    
    Something small like the bunny with a pancake on its head.
    
    1 0
Wednesday 15th September 2010 23:23 GMT Anonymous Coward

Security By Obscurity Helps !

I know the argument that SBO does not work. But imagine you had all the source code of a bank. From the RAID controller up to the internetbanking software. Only passwords and data memory contents would be a secret.

A dedicated hacker would find a way into that in a couple of weeks, completely undetected. He could even set up a demo system and perform lots of fuzzing.

The same applies to NSA, GCHQ or BND. All you had to do would be to push out the Virus/Worm over an unencrypted SATCOM system and inject it right into their collection system. I assume this would actually be a quite direct link to Mr Obama's computer. After all, he is a consumer of that intel.

Security By Obscurity makes it impossible (or rather "improbable" ?). Please sleep well.

0 13
1. Thursday 16th September 2010 01:06 GMT amehaye
  
  Re StrongType
  
  Someone is *wrong* on the Internet. Right now, that someone is you.
  
  13 0
  1. Thursday 16th September 2010 09:53 GMT Peter Jones 2
    
    Actually...
    
    Little of column A, little of column B.
    
    SBO as the only security implementation is doomed to fail. But, if StrongType means that implementing SBO *in addition* to other sceurity practices is a good idea, well, it kind of is.
    
    There is a reason safe doors are opaque and not transparent. It's a lot easier to crack the thing if you can see all the moving parts.
    
    1 0
2. Thursday 16th September 2010 08:41 GMT Anonymous Coward
  
  Nice!
  
  I love a bit of comedy SciFi with my breakfast.
  
  Cheers!
  
  2 0
3. Thursday 16th September 2010 10:27 GMT max allan
  
  Wrong on so many levels...
  
  What makes you think a dedicated hacker couldn't find his way into a SBO system in a couple of weeks?
  
  The same time spent poring over the source code can be sent doing an awful lot of "random" packet injection.
  
  In an open system, the "cleverest" person wins. If he's on your side you're going to beat the hacker. As soon as he notices the flaws he tells you and you close them.
  
  In an SBO system, if someone does get in undetected, nobody else is looking at it to tell you where your flaws are, you're never going to know.
  
  Look at the number of software products out there with licence restrictions that "cracks" are available for to see how often closed source is defeated.
  
  1 0
Wednesday 15th September 2010 23:23 GMT Anonymous Coward

Now all we need...

is some conspiracy theorist alleging that Mr. Roland McGrath from RedHat has ties to the NSA...

0 0
1. Thursday 16th September 2010 01:06 GMT Anonymous Coward
  
  I've heard that Mr. Roland McGrath...
  
  of Redhat has ties to the NSA. Anyone else heard that?
  
  3 0
2. Thursday 16th September 2010 09:53 GMT FuzzyTheBear
  
  Flies Black helicopter too !
  
  He is :) RedHat is a NSA full undercover outfit with ties with the FBI
  
  Oh .. throw in Linus Torvalds included the code back in cause that allows the NSA to get in and out your box as they please and all of a sudden we have a tin foil hat crowd ready for more.
  
  It's for the people's own good. Oh .. and ElReg ( while at it ) also supports fully Interpol and MI-5
  
  by sending them all your comments ... Your suspicion something's odd will land you in Guantanamo. See you there :)
  
  lol
  
  0 0
Thursday 16th September 2010 01:09 GMT Anonymous Coward

@Larget Software Project

The 5,000 or so people who worked on 100m lines of Lucent 5ESS code beg to differ or at least compete.

Linux is only the biggest in terms of number of developers and other contributors working on it. In lines-of-code terms its relatively small.

IMO, whole distributions such as Redhat, Debian, or Mandrivia as FOSS "Projects" can be considered far larger with their close to billions of LOC and tens of thousands of contributors work being pulled in.

2 2
1. Thursday 16th September 2010 05:24 GMT Anonymous Coward
  
  Brian, is that you?
  
  Or Ken, or Dennis?
  
  0 0
Thursday 16th September 2010 08:57 GMT Michael H.F. Wilkinson

My code-base is bigger than yours

arguments seem a bit petty. Adding pointless LOC is only too easy, whereas keeping something small and functional is an art in itself. Yes I was proud of the 150kLOC I wrote for an image processing system, but more proud that it could easily be ported, and worked in less than 640kB of memory (MS-DOS-days).

I would be far more proud if I could create a fully functional kernel with half the LOC of the current Linux kernel. The point is I cannot,of course ;-)

1 0
Thursday 16th September 2010 09:10 GMT Ocular Sinister

Unit test?

Now, I know its boring to do, but why don't they write automated test cases for bugs as they get fixed. Fair enough, they had a bug and it got fixed. Not fair enough that it was re-introduced - that was avoidable by following some simple processes like refusing to accept the patch without a corresponding automated test.

5 0
Thursday 16th September 2010 09:14 GMT Trevor_Pott

Squirrel!

As above.

(Might make sense if you watch the daily show.)

0 0
Thursday 16th September 2010 09:14 GMT Anonymous Coward

The Word For Today Is.........

I am inherently pleased the posts on this subject have not resorted to the inherent tendency to overuse the adjective inherent.

This appears to be inherent in a lot of posts you read these days. Particularly with regard to security and it's inherently important role in operating systems.

For example the, incorrect, assertion that the Linux kernel is inherently safe.

I for one am inherently glad that inherent and it's friend, intrinsic, are not being used incorrectly by people just to make them sound clever.

4 2
Thursday 16th September 2010 09:17 GMT Magnus_Pym

Wow. Turns out peer review works.

Who knew?

1 0
Thursday 16th September 2010 11:38 GMT Anonymous Coward

@ Magnus_Pym

Actually it seems that peer review in this case is the cause of the problem:

A problem was found and fixed: Yay! for peer review.

However the problem was then regressed back in: Boo! for whatever review system failed here.

The problem was not looked for again because it had already been found* and fixed: Boo! for peer review.

Now, we all know these things are rife in Windows code but that should make it even less likely to happen in the open source world.

*I assume when you basically ask people to look for bugs with no real direction then it is human nature to only look for something new and interesting rather than invest your precious free time in looking at something that has already been "found". Although as I have no programming abilities I have no involvement in the linux bug searching process so I don't know how it works.

1 0
Thursday 16th September 2010 12:39 GMT Anonymous Coward

Disappointing...

that El Reg didn't mention once again that Ubuntu is the most popular distro and soon to take over the world. Bit of a fail there, a break from policy and all that.

The assertion that Red Hat has ties to the NSA and others is ridiculous. Having a former Joint Chiefs Chair as Board Chair at Red Hat is only coincidental and portends nothing along that line. One should have explicit trust in a Joint Chiefs Chair as it is nearly the highest political office in the land - the Homeland, that is. Not the Fatherland or the Motherland - but the mother of all lands - The Motherland.

That fist up your rear as you move through the airline terminal is proof that the Generals have made the Homeland safe against all enemies - real or imaginary.

0 2
Thursday 16th September 2010 13:31 GMT Anonymous Coward

Nice Little Graph

http://en.wikipedia.org/wiki/File:Operating_systems_used_on_top_500_supercomputers.svg

Bottom Line: Linux has already won in the datacenter. With Android, it attacks PCs from below. Mr Ballmer will have a hard time sandwiched like this.

Actually, Penguins eat other animals, despite looking so cute...

1 1
1. Friday 17th September 2010 15:30 GMT Anonymous Coward
  
  @Strongtype
  
  Supercomputing is a tiny aspect of datacentre and one which the vast majority of companies have no use for. You may as well say that because z/OS runs on pretty much all Mainframes that it has won in the datacentre. This ignores other platforms - VMS, Windows, Tandem, Commercial UNIX, BSD UNIX all of which are still used in datacentre, Windows and Unix in massive numbers.
  
  0 0
  1. Monday 20th September 2010 08:58 GMT Anonymous Coward
    
    Agreed
    
    - this graphic is about Supercomputing. Still, from what I see in all sorts of high-speed, high-troughput applications in the *commercial* datacenter, Linux is winning. Frankfurt, Tokio, NYSE to some unknown extent, Google Search Engine, Facebook all on Linux.
    
    Countless other systems in Finance on Linux. Almost all new development is now done on Linux in the financial industry (talking of the datacenter). Only the little Excel hacks and strange departmental Access database happen on Windows.
    
    There still are quite a few mainframe systems (MVS, VMS, Tandem etc) in operation, but most new systems are done in Linux/C++ (for the most demanding systems) or on Linux/Java (for less demanding requirements). As soon as programmers have understood how they have to map the workload on hundreds of cheap Linux PCs, the mainframe becomes an incredibly expensive option. Windows server is also much more expensive, if you multiply CPUs with the license cost. In addition, Linux comes with ssh/bash out of the box while you have to buy lots of strange stuff for Windows server if you want to administer a huge cluster. And then, develop some more strange stuff in C++ yourself to just operate/administer the cluster.
    
    0 0
Thursday 16th September 2010 13:31 GMT Anonymous Coward

Linux In The Financial Industry

http://customers.redhat.com/category/industry/financial-services/

0 0
Thursday 16th September 2010 16:37 GMT Henry Wertz 1

Kernel updates not uncommon

@some vaguely opinionated bloke, re: what percentage will upgrade the kernel.. probably a fairly large percentage. Kernel updates are part of the usual updates on most distros -- not just haphazzardly upgrading to the latest and greatest (except on the likes of gentoo ~x86, or debian current heh..) but porting bug fixes and especially security patches back to whatever kernel that distro shipped with and shipping out an update. I can't speak for all distros, but the tendency for a lot of distros is to even continue releasing security updates for older versions that are otherwise unsupported.

I would venture some don't even notice when the kernel updates -- there are places where the version number is shown but it's a minor digit update, for instance my Mini 10 (with Ubuntu 8.04 netbook edition) went from 2.6.24-24-lpia to 2.6.24-27-lpia. Easy to not even notice since it's 2.6.24 either way 8-).

----------

Regarding the kernel bug being thrown in twice... as a big Linux fan, I'll make no excuse for this, frankly it's rather embarrasing that they managed to fix a security bug then reintroduce it. All I can say is it shows everyone is human 8-). I guess it didn't affect me since none of my systems are running 64-bit kernels 8-).

2 0
Thursday 16th September 2010 18:57 GMT John Smith 19

Biggest software project on the planet?

Well I'd that *might* be one made for the biggest institutions on the planet.

The Indian Railway system.

The Chinese Army

The British National health Service.

The Indian Railway timetabling and booking system is meant to be *pretty* big and of course various bits of the NHS system are certainly costly (not sure how much of them was written from *scratch* however)

Does anyone know if the Chinese Army run any bespoke software?

0 0
Thursday 16th September 2010 20:48 GMT Cyfaill

Largest software project ever - yes

I see that perhaps a bit of help in understanding what I wrote:

http://www.youtube.com/watch?v=L2SED6sewRw

It is the largest... hundreds of companies supply code which potentially make it into the kernel.

I stand by what I say... what make it inherently safe is the active participation of those who use it.... trying to make it perfect... no, it can't be done, but the continual effort brings to the development a tenacious and durable code which make it a tough and capable product which represent the best efforts of some of the most clever software people alive.

Flame on, but it is the truth, Linux is the collective effort of a massive broad and diversified interests from around the world. Linux dominates because it is that good. It is in thousands of uses all over the world.

0 0
Thursday 16th September 2010 20:49 GMT fskmh

Hello grsec

"No doubt, Linux fans will be quick to point out that the bug can be exploited only by those with a valid account on a targeted machine in the first place."

Nope, but I'd like to point out that this doesn't work on a grsec-patched kernel (just tried it on 2.6.34.6-grsec). Let's see you preempt that one.

0 0
Thursday 16th September 2010 23:00 GMT sisk

It's still news

I'll just point out that this made the news. Bugs of this nature on certain other OSes ceased to be front page matieral decades ago.

Mine's the one with the custom rolled Debian live CD in the pocket.

1 0
Friday 17th September 2010 08:59 GMT Anonymous Coward

linux != linux

Man, funny how many people can't wait to push some large companies forward who are using "linux". See; google uses it so... Yes, google uses linux. But what people always forget to mention is that they hacked it beyond recognition. Most companies don't use "linux" as we know it; they merely adopted it as a foundation.

0 1
1. Friday 17th September 2010 22:35 GMT sisk
  
  Still Linux
  
  Yes they've hacked the hell out of it. The fact that you can do that is one of Linux's greatest strengths. Don't believe me? Try to do it using Windows as a starting point.
  
  Besides, you're wrong. Android is quite recognizable as Linux. I can't speak about the data centers but I'd imagine the same is true of them.
  
  0 0
Friday 17th September 2010 13:26 GMT Anonymous Coward

Why Windows Can't Compete

Using a Unix Computer is done by actually a kind of ASCII-based programming:

Say you want to know who accessed the file MyFirstGo.html on you web server. On Unix you just Command The Computer using ASCII:

$ grep MyFirstGo.html /var/log/apache2/access.log |cut -d " " -f1|sort|uniq|xargs -l1 nslookup|grep "name ="

53.112.74.212.in-addr.arpa name = e1-1.ns500-1.ts.milt.as9105.net.

10.197.11.217.in-addr.arpa name = isgservices.frankfurter-softwarefabrik.de.

40.124.105.78.in-addr.arpa name = 78-105-124-40.zone3.bethere.co.uk.

27.48.46.80.in-addr.arpa name = 80-46-48-27.static.dsl.as9105.com.

176.213.92.84.in-addr.arpa name = wbucknall.force9.co.uk.

216.4.16.86.in-addr.arpa name = client-86-16-4-216.pete-bam-1.pete.adsl.tesco.net.

What would you do on Windows ? Yeah, get your credit card ready, shell out 500 dollars to buy a "web analytics" tool with a nice clicky-clicky GUI. Three days later you have a little bit different problem. What do you do ? Pull again the credit card out of the pocket ??

Windows is doomed because the metaphor that users are dimwits who can only click on pictures is an insult to anybody's intelligence. The MS CTO already realized that Google is the "internet command line". He meant it derogatory, but it is exactly the truth, just in the way MS does not want it to be.

1 3

Topics

Special Features

Vendor Voice

Resources

COMMENTS

** Sigh **

No frickin title

But....

Being different

You know the noise "facepalm" makes?

Sort of

Title

Linux IS A Mainstay

@Strongtype

CERN and Other Scientific Linux Users

Google and Linux

Facebook & Linux

Tokio Stock Exchange

Deutsche Börse & Linux

@Fraser: Don't need a source, just a brain.

Some sources of Info...

Err...

"valid account on the machine" is stretching things a bit

linux kernel

Inherently wha?

Duh?

General purpose, inherent safety

RE: General purpose, inherent safety

To answer your question...

Nope

Harvard architectures are not guaranteed-secure

Conditionals

what version?

title, I don't need no frackin' title

Patch Promptly Applied

Current Linux Version

Yawn....

Awwww

A Bug versus a Virus.

its a legitimate point

[Imagine catchy title here]

Being open source...

Linux fans

Someone help me out here

Gee

Largest? Really?

Re : Largest? Really?

Or is it?

Jeez...

Open = Secure?

Inherently secure

Sounds like a code fork BORK

FAIL

we think a measured WTF is in order.

furthermore,

You'd need to define a unit of WTF-age

Security By Obscurity Helps !

Re StrongType

Actually...

Nice!

Wrong on so many levels...

Now all we need...

I've heard that Mr. Roland McGrath...

Flies Black helicopter too !

@Larget Software Project

Brian, is that you?

My code-base is bigger than yours

Unit test?

Squirrel!

The Word For Today Is.........

Wow. Turns out peer review works.

@ Magnus_Pym

Disappointing...

Nice Little Graph

@Strongtype

Agreed

Linux In The Financial Industry

Kernel updates not uncommon

Biggest software project on the planet?

Largest software project ever - yes

Sigh