Not again! (security flaw in various Linux dist)

Status
Not open for further replies.
M

Mystic

Joined
Mar 5, 2003
Messages
8,461
Location
Colorado
Last edited by a moderator:
You say "they" like it's the same group of people wring bad code causing all of the recent bugs. That's very far from reality.

This is no more or less severe than many, many of the vulnerabilities that have been found and patch in most browsers. It will be patched quickly.

You can't possibly believe software should have no bugs whatsoever.

ALSO:

Date: Jul 25 2014
Fix Available: Yes Vendor Confirmed: Yes

I think you just have an axe to grind with *nix for some reason.
 
Last edited:
That's the deal with open source, though. You can't have it completely both ways. The developer community cannot fix what it doesn't know about, and you can't get the skilled public at large to volunteer unless they know there's an issue and are able to get the information readily. It's easy to say you don't want the hackers to know about the vulnerabilities, but it's exceedingly difficult to keep hackers out of the information loop, all the while allowing relatively unvetted volunteer developers to help.

Bugzilla and its ilk have to be relatively open and accessible. I found the root cause ("root," get it?
wink.gif
) to the GPG problem in the Mint distribution and passed that up the line. I knew exactly what the problem was and what needed to be fixed, but not precisely how to fix it. I did, however, need the ability to send the information up the line and know if it had been done already.
 
The issue is with Bugzilla which a lot of OSS developers use as a bug tracking tool; they use it to track Windoze based software bugs too.

Not a linux issue, except some of the linux kernel bugs might be documented in the database, which indicates vectors of attack.
 
Originally Posted By: Garak
That's the deal with open source, though. You can't have it completely both ways. The developer community cannot fix what it doesn't know about, and you can't get the skilled public at large to volunteer unless they know there's an issue and are able to get the information readily. It's easy to say you don't want the hackers to know about the vulnerabilities, but it's exceedingly difficult to keep hackers out of the information loop, all the while allowing relatively unvetted volunteer developers to help.



Agreed.


It seems anytime there is an open source vulnerability, Mystic is all over it, like the sky is going to fall... Even if it's a relatively minor thing that can only be exploited under a certain set of unlikely conditions, or where inconsequential things can be accessed. I don't recall seeing him bash Microsoft exploits and vulnerabilities, no matter how bad or how common they are.
 
This model provides an excellent framework where vulnerabilities are quickly addressed. Lack of transparency (closed source) allow issues to be unaddressed for YEARS. There are hundreds of examples of this which open a few Windows on how poor some companies software development can be.
 
Originally Posted By: The_Eric
It seems anytime there is an open source vulnerability, Mystic is all over it, like the sky is going to fall... Even if it's a relatively minor thing that can only be exploited under a certain set of unlikely conditions, or where inconsequential things can be accessed. I don't recall seeing him bash Microsoft exploits and vulnerabilities, no matter how bad or how common they are.

+1 He seems to have a hate for Linux and open source technology.
 
I don't care very much for open source software and Linux. But most of the servers on the internet are running some version of Linux. So if there are security issues involving those Linux servers, IT AFFECTS ALL OF US, regardless if somebody likes Linux or not. The security of those internet servers affects not just somebody who happens to use a Linux computer at home. It affects Windows users also. And some of the vulnerabilities can also affect Mac computers, or at least Mac OS X computers being used as servers.

Why attack the messenger and not listen to the message? Shellshock, according to the sources I have checked, is EXTREMELY SERIOUS. It is a critical security issue. Do you care?

I have supplied sources of information. Maybe it would be a good idea to spend more time checking out those sources of information rather than attacking the messenger personally. Denying that problems exist does not solve the problems.

And it certainly says something about the quality of coding in open source and Linux distributions. I can remember when we were being told here that there were an army of dedicated volunteers checking this open source code to make sure there were no mistakes. Well, it should be obvious that was not true. Because they are finding security issues and incredibly bad programming and lazy programming and little concern for security. They are finding vulnerabilities all over the place.

Does the coding for open source software really look any better than Microsoft Windows coding? And since there is no army of dedicated, eager volunteers to check for problems in the open source coding the bad guys are dedicated enough and willing to check for the security holes. If too many security issues are found and exploited what will that do for the image of open source software and Linux software?

Kaspersky is considered one of the best antivirus companies in the world. Go to Threatpost, a Kaspersky website, and see what they see about Shellshock. It is all a simple click of the mouse away.

Too many people here attack the messenger when they have no argument. Attacking the messenger achieves nothing. Yes, personally I don't care much for open source software and Linux. I do care about the security of internet servers, regardless if they are Linux, Mac OS X, Windows or whatever because the security of those servers does affect ME!

Maybe you should care also if the security of servers on the internet is at stake.

It is pretty funny when you think about it. I am the anti-open source and anti-Linux guy and I am the guy paying attention. I am the guy who cares about the security of internet servers.
 
Last edited:
And for anybody who says that vulnerabilities are taken care of immediately in open source software, the Bash vulnerability (or perhaps I should say vulnerabilities) has existed for 25 years. 25 years in computer technology terms is an extremely long time.

Maybe the best thing that could happen for open source software would be for there to occur some very serious exploits. Exploits that lead to front page news. A few people might wake up then.
 
Even when there are linux vulnerabilities, the way Linux operates helps prevent them from being catastrophic. It is difficult to exploit even known holes in Linux.
 
 
that is a lot of noise for little to no damage. Even most servers weren't running additional code that allowed the bash exploit.
 
This is the Computer Section. The security of Linux servers affects everybody, regardless of what somebody thinks about Linux. And I own a Mac Computer so the security of my Mac Computer could be affected also. What is wrong with me bringing up this important computer security issue in the Computer Section?

Anytime that somebody attacks the messenger and does not have arguments concerning the message, I become concerned. Lots of people attack the messenger rather than the message at this website. They would fail high school debating class.

I think this Shellshock is an important security issue and of worthwhile concern to be brought up in the Computer Section. Certainly many news agencies and security companies seem to think it is worthy of concern. So why does the messenger get attacked?

There is concern that literally millions of computers and other equipment and devices might be affected. Some expensive equipment on a huge scale might have to be replaced. And this is not important?

3 Yahoo servers have already been taken offline because of the vulnerability not related to Shellshock that apparently the bad guys found when they were searching for servers that might have this Shellshock vulnerability.

This Shellshock security issue is entirely worthy of being considered here in the Computer Section. It is an important issue affecting computers and computer security.
 
Sometimes Mystic, you just have to persevere with what you believe, regardless of what others say.
 
Originally Posted By: Mystic
And for anybody who says that vulnerabilities are taken care of immediately in open source software, the Bash vulnerability (or perhaps I should say vulnerabilities) has existed for 25 years. 25 years in computer technology terms is an extremely long time.

Maybe the best thing that could happen for open source software would be for there to occur some very serious exploits. Exploits that lead to front page news. A few people might wake up then.


Wake up to what? That the track record and common-sense model of open source software and development is orders of magnitude superior to closed-source, for-profit garbage? Let them wake up! Remember to pay pay pay for and update your anti virus and anti malware and anti spyware software while you're going on about security...

I will take transparency, freedom and open standards and open source code over profit-driven, property-owning greed any and every day. If you like otherwise, great!

We might note, too, Mystic, that you yourself are the first to admit that you have zero technical or computing knowledge. Your posts indicate a complete lack of understanding of these things. You are clearly so terribly biased against free software (yet never explain why) that your posts are like broken records. If you do not like freedom, do not participate in it. Good luck using the internet.
 
Originally Posted By: Mystic
This is the Computer Section. The security of Linux servers affects everybody, regardless of what somebody thinks about Linux. And I own a Mac Computer so the security of my Mac Computer could be affected also. What is wrong with me bringing up this important computer security issue in the Computer Section?



It isn't your topics of discussion that is odd. It is your infatuation with it and trying to paint it as some end all be all argument against open source software despite all real world data staring you right in the face in disagreement.

Seeing that you own a Mac does explain a bit of where you are coming from, though. Mac users typically feel that you get what you pay for and if you are paying more for your products than everyone else you are getting the best. It also explains why you fear these issues to a degree that significantly outweighs the actual risks. You are used to Apple taking care of everything for you and not having to worry about it.

The Linux world is going to take over the market at some point in the not too distant future. Android, Chrome OS, etc. are all Linux OSs. With microsoft continually botching their newer products and moving toward subscription based window licenses and apples communist nature, Linux is only going to grow faster and faster.
 
Last edited:
Funny about bash "security issue" being out there for 25 years.

In the PC world, 1989 was when someone could turn on a computer and start using it unauthenticated, put in a floppy disk and install whatever they wanted.

Unix appeared to have "security issues" in 1989; Windows PCs were struggling with any notion of "security" at all.
 
Last edited:
My point is proved by the personal attacks. This subject I brought up, about the Shellshock vulnerability, is an entirely appropriate subject to bring up in the Computer Section. News agencies, security experts, and security companies throughout the world are discussing these issues. A person merely has to type 'Shellshock' into a web browser to find numerous sources of information about all of this.

The security of everybody on the internet depends on the security of servers on the internet. Everybody has to use Linux servers and maybe Unix, Mac OS X, and BSD servers and Windows servers. In does not matter if a person likes or dislikes open source software and Linux or not. Most of the servers on the internet are Linux servers. So the security of those servers affects everybody.

Instead of a discussion about all of this there are personal attacks, including an individual commenting about my computer expertise and that person has no knowledge whatsoever what sort of computer training I have received and what kind of experience I have.
 
Originally Posted By: Mystic
Why attack the messenger and not listen to the message? Shellshock, according to the sources I have checked, is EXTREMELY SERIOUS. It is a critical security issue. Do you care?

I have supplied sources of information. Maybe it would be a good idea to spend more time checking out those sources of information rather than attacking the messenger personally.

Sometimes, one has to look at the messenger, and I don't mean you. I'm talking about the media and the security companies. The media doesn't know much about anything, let alone open source software and coding. Computer security consultants have a product to sell. Companies like Kaspersky have a product to sell.

If every internet connected computer switched to a Linux distro tomorrow, Kaspersky would either be simply doomed or have to convince Linux users that they need the product and their expertise. They have no choice, but one has to temper the message with that in mind.

Kaspersky has to pay for their $150 million plus annual ads on Ferrari F1 cars somehow.
 
Well, Garak, as usual, you seem to be the first one with good commentary instead of silly personal attacks. As usual, you are my favorite Linux person here. Or I guess I could say you are my only favorite Linux person.

I agree that the media often does not know much about anything, although it depends on what media you are talking about. There are some media outlets that know a lot about computers and computer technology and they have commented on Shellshock and Heartbleed and the Bugzilla bug also. You have to realize that SANS has talked about this Shellshock vulnerability. That means something. And the general media is getting information from various computer security experts and computer security firms.

And of course Kaspersky is making a lot of money selling antivirus software. But I think you are probably willing to agree that Kaspersky is one of the very best antivirus companies out there. So I think what their experts have to say means something. On the other hand, I heard about Kaspersky's own servers being attacked twice. And apparently they were using open source software for their servers (Linux, I guess). That looks a little bad if a security companies own servers get attacked.

Too many experts however are saying that this Shellshock is very serious. And I do not share your confidence that all servers on the internet are going to be updated immediately. In fact, they are even having problems with the updates. There is some evidence that the updates do not cover the entire problems. For example, some people are saying that Apple's updates covered only two out of three issues. And more vulnerabilities are being located. Kaspersky people talked about that. And Yahoo talked about a vulnerability other than the Bash (Shellshock) vulnerability. In the case of Heartbleed six months after Heartbleed had been discovered there were many, many servers that had not been updated. Including many servers of major companies.

You know I don't care much about open source software and Linux. But something like maybe 66% of the servers on the internet are Linux servers. So anybody who uses the internet has to be concerned about the security of those servers. I may not especially like Linux, but I want those Linux servers to be secure. It is in my interest that they are secure. It is in everybody's interest that they are secure. I am going to include a few sources of information you might be interested in.

And thanks for being a gentleman and not a jerk, and thanks for being willing to discuss things instead of attacking somebody personally.


http://www.stuff.co.nz/technology/digita...h-internet.html

ech.mit.edu/V134/N41/shellshock.html

ww.newsfactor.com/news/1%20Billion%20Attacks%20Hit%20Shellshock%20Flaw/story.xhtml?story_id=01000147BK84

http://www.programmableweb.com/news/shel...rnet/2014/09/30

https://www.us-cert.gov/ncas/current-act...n-Vulnerability

I had problems getting the source from SANS.
 
Status
Not open for further replies.
Back
Top