I still don't have much concern with Linux security. There always will be vulnerabilities on every platform, and Linux is among the best we've got. In the end, vulnerabilities are one thing. Theoretical vulnerabilities are less of an issue.
Not again! (security flaw in various Linux dist)
- Thread starter Mystic
- Start date
- Status
I don't think these are theoretical. I have found a good description in plain English from Sophos. And some information from MIT and Caltech. Here they are:
http://www.sophos.com/en-us/lp/bash-shellshock.aspx?cmp=70130000001xH73AAE
http://tech.mit.edu/V134/N41/shellshock.html
http://m.technologyreview.com/review/527956/imposing-security/
https://www.imss.caltech.edu/content/bash-shellshock-vulnerability
http://www.sophos.com/en-us/lp/bash-shellshock.aspx?cmp=70130000001xH73AAE
http://tech.mit.edu/V134/N41/shellshock.html
http://m.technologyreview.com/review/527956/imposing-security/
https://www.imss.caltech.edu/content/bash-shellshock-vulnerability
Posting walls of test in the computers section of Bob Is The Oil Guy will certainly get these lazy linux writing charlatans off their collective duffs and fix bugs nobody has discovered yet.
This is exactly what you're asking for.
Software is written, tested to the best of their ability, and then released. It's really how everyone does it.
A lot of times it's not until this stuff gets into the hands of some really creative testers, or some rather vicious people that security problems are found.
There is really no way around that. The resources to write and debug and test 100% secure software don't exist. And no amount of text walls from non-technical armchair security information regurgitators is going to change that.
This is exactly what you're asking for.
Software is written, tested to the best of their ability, and then released. It's really how everyone does it.
A lot of times it's not until this stuff gets into the hands of some really creative testers, or some rather vicious people that security problems are found.
There is really no way around that. The resources to write and debug and test 100% secure software don't exist. And no amount of text walls from non-technical armchair security information regurgitators is going to change that.
I curious why Mystic isn't going after Apple? Why didn't they discover the bug when they started working with it how ever many years ago?
Same with heartbleed and all the mega corps using software with that bug. I didn't hear any Google bashing.
Same with heartbleed and all the mega corps using software with that bug. I didn't hear any Google bashing.
Originally Posted By: Mystic
I don't think these are theoretical.
Perhaps a bit more than theoretical, but what I mean is much of the issues have never actually resulted in definitive breaches. How often in Windows over the years has a vulnerability remain absolutely unknown by the security industry and the wider public until something actually goes wrong?
The Sophos link may have a plain English description, but it also has a none-too-subtle sales pitch in every paragraph.
I don't think these are theoretical.
Perhaps a bit more than theoretical, but what I mean is much of the issues have never actually resulted in definitive breaches. How often in Windows over the years has a vulnerability remain absolutely unknown by the security industry and the wider public until something actually goes wrong?
The Sophos link may have a plain English description, but it also has a none-too-subtle sales pitch in every paragraph.
Originally Posted By: Mystic
Maybe you should care also if the security of servers on the internet is at stake.
It is pretty funny when you think about it. I am the anti-open source and anti-Linux guy and I am the guy paying attention. I am the guy who cares about the security of internet servers.
Mystic, don't let them get you down. It is important that there are people like you who see the potential issues and care about them enough to draw attention to them.
You're looking out for all of us and it is appreciated.
I just don't know how everyone in this thread can ignore all the links you've provided. There are so many!
Maybe you should care also if the security of servers on the internet is at stake.
It is pretty funny when you think about it. I am the anti-open source and anti-Linux guy and I am the guy paying attention. I am the guy who cares about the security of internet servers.
Mystic, don't let them get you down. It is important that there are people like you who see the potential issues and care about them enough to draw attention to them.
You're looking out for all of us and it is appreciated.
I just don't know how everyone in this thread can ignore all the links you've provided. There are so many!
Originally Posted By: Apollo14
Originally Posted By: Mystic
Maybe you should care also if the security of servers on the internet is at stake.
It is pretty funny when you think about it. I am the anti-open source and anti-Linux guy and I am the guy paying attention. I am the guy who cares about the security of internet servers.
Mystic, don't let them get you down. It is important that there are people like you who see the potential issues and care about them enough to draw attention to them.
You're looking out for all of us and it is appreciated.
I just don't know how everyone in this thread can ignore all the links you've provided. There are so many!
Did you read the links? They are all scare tactics and sensationalism. Actual attacks resulting in critical data compromise are non existent to this point. There have been some nuisance attacks using the security hole.
Originally Posted By: Mystic
Maybe you should care also if the security of servers on the internet is at stake.
It is pretty funny when you think about it. I am the anti-open source and anti-Linux guy and I am the guy paying attention. I am the guy who cares about the security of internet servers.
Mystic, don't let them get you down. It is important that there are people like you who see the potential issues and care about them enough to draw attention to them.
You're looking out for all of us and it is appreciated.
I just don't know how everyone in this thread can ignore all the links you've provided. There are so many!
Did you read the links? They are all scare tactics and sensationalism. Actual attacks resulting in critical data compromise are non existent to this point. There have been some nuisance attacks using the security hole.
Last edited:
Agreed. The Linux basics still hold true. It isn't going to mess with the OS without root access, which won't be had unless someone enters the super user or root password. It's not going to mess with one's encrypted data for similar reasons, too. And, it won't mess with other users' home folders.
We have nightly scheduled tasks where I work where updates from Redhat are automatically applied (weekends too) unless a reboot is required (kernel patch) IIRC, Redhat released a bash patch < 2 days from acking the issue.
So regular is this process, no one checks to see what is installed unless a patch application fails and an email is sent out; this is for "100s" of servers.
By policy internet facing machines must be patched within X hours of a patch release and internal machines within Y hours. By patching nightly, we are always compliant.
I do appreciate the attention to such issues (i.e. bash) but this discussion regarding it has continued on a full 5 or 6 times longer than my site was actually vulnerable. The servers were patched the night the patch was released, no one ran around the office, no one questioned the use of OSS; process handled it. Process.
The same holds true for my work laptop as I shut it down and it applies 5 updates; I thank the desktop guys for keeping on top of it, but I'm not scratching my head wondering who screwed up, how long it was screwed up, and why these issues need to be addressed. They are just addressed.
-T
So regular is this process, no one checks to see what is installed unless a patch application fails and an email is sent out; this is for "100s" of servers.
By policy internet facing machines must be patched within X hours of a patch release and internal machines within Y hours. By patching nightly, we are always compliant.
I do appreciate the attention to such issues (i.e. bash) but this discussion regarding it has continued on a full 5 or 6 times longer than my site was actually vulnerable. The servers were patched the night the patch was released, no one ran around the office, no one questioned the use of OSS; process handled it. Process.
The same holds true for my work laptop as I shut it down and it applies 5 updates; I thank the desktop guys for keeping on top of it, but I'm not scratching my head wondering who screwed up, how long it was screwed up, and why these issues need to be addressed. They are just addressed.
-T
Last edited:
Originally Posted By: uc50ic4more
Originally Posted By: Mystic
And for anybody who says that vulnerabilities are taken care of immediately in open source software, the Bash vulnerability (or perhaps I should say vulnerabilities) has existed for 25 years. 25 years in computer technology terms is an extremely long time.
Maybe the best thing that could happen for open source software would be for there to occur some very serious exploits. Exploits that lead to front page news. A few people might wake up then.
Wake up to what? That the track record and common-sense model of open source software and development is orders of magnitude superior to closed-source, for-profit garbage? Let them wake up! Remember to pay pay pay for and update your anti virus and anti malware and anti spyware software while you're going on about security...
I will take transparency, freedom and open standards and open source code over profit-driven, property-owning greed any and every day. If you like otherwise, great!
We might note, too, Mystic, that you yourself are the first to admit that you have zero technical or computing knowledge. Your posts indicate a complete lack of understanding of these things. You are clearly so terribly biased against free software (yet never explain why) that your posts are like broken records. If you do not like freedom, do not participate in it. Good luck using the internet.
Very true.
Originally Posted By: Mystic
And for anybody who says that vulnerabilities are taken care of immediately in open source software, the Bash vulnerability (or perhaps I should say vulnerabilities) has existed for 25 years. 25 years in computer technology terms is an extremely long time.
Maybe the best thing that could happen for open source software would be for there to occur some very serious exploits. Exploits that lead to front page news. A few people might wake up then.
Wake up to what? That the track record and common-sense model of open source software and development is orders of magnitude superior to closed-source, for-profit garbage? Let them wake up! Remember to pay pay pay for and update your anti virus and anti malware and anti spyware software while you're going on about security...
I will take transparency, freedom and open standards and open source code over profit-driven, property-owning greed any and every day. If you like otherwise, great!
We might note, too, Mystic, that you yourself are the first to admit that you have zero technical or computing knowledge. Your posts indicate a complete lack of understanding of these things. You are clearly so terribly biased against free software (yet never explain why) that your posts are like broken records. If you do not like freedom, do not participate in it. Good luck using the internet.
Very true.
Originally Posted By: Trajan
Originally Posted By: uc50ic4more
We might note, too, Mystic, that you yourself are the first to admit that you have zero technical or computing knowledge. Your posts indicate a complete lack of understanding of these things. You are clearly so terribly biased against free software (yet never explain why) that your posts are like broken records.
Very true.
Insult him all you want but he is trying to save us.
One day, maybe tomorrow, maybe years from now or maybe even never, you'll see.
Originally Posted By: uc50ic4more
We might note, too, Mystic, that you yourself are the first to admit that you have zero technical or computing knowledge. Your posts indicate a complete lack of understanding of these things. You are clearly so terribly biased against free software (yet never explain why) that your posts are like broken records.
Very true.
Insult him all you want but he is trying to save us.
One day, maybe tomorrow, maybe years from now or maybe even never, you'll see.
I have a lot more faith in a loose band of computer geeks from all over the World writing good secure code than huge corporations that are accountable to a government. Look at the .gov outrage on the Apple/Android announcements that no one will be able to access a person's phone. They'll likely be forced to cave and insert a back door. Likely in secret. Of course anyone then has access to the door. Accidental vulnerability < built in vulnerability.
Originally Posted By: hatt
I have a lot more faith in a loose band of computer geeks from all over the World writing good secure code than huge corporations that are accountable to a government. Look at the .gov outrage on the Apple/Android announcements that no one will be able to access a person's phone. They'll likely be forced to cave and insert a back door. Likely in secret. Of course anyone then has access to the door. Accidental vulnerability < built in vulnerability.
One more reason to run android phones. You can get custom roms with stuff like that removed or run ROMS built completely from source and independent from Android.
I have a lot more faith in a loose band of computer geeks from all over the World writing good secure code than huge corporations that are accountable to a government. Look at the .gov outrage on the Apple/Android announcements that no one will be able to access a person's phone. They'll likely be forced to cave and insert a back door. Likely in secret. Of course anyone then has access to the door. Accidental vulnerability < built in vulnerability.
One more reason to run android phones. You can get custom roms with stuff like that removed or run ROMS built completely from source and independent from Android.
Weird. I though only Linux had the flaws.
Quote:
A Russian hacking group probably working for the government has been exploiting a previously unknown flaw in Microsoft’s Windows operating system to spy on NATO, the Ukrainian government, a U.S. university researcher and other national security targets, according to a new report.
http://www.washingtonpost.com/world/nati...0e9c_story.html
Quote:
A Russian hacking group probably working for the government has been exploiting a previously unknown flaw in Microsoft’s Windows operating system to spy on NATO, the Ukrainian government, a U.S. university researcher and other national security targets, according to a new report.
http://www.washingtonpost.com/world/nati...0e9c_story.html
From the PDF
Quote:
Impacts all versions of Windows from Vista to 8.1
Windows Server 2008, 2012
Flaw has existed for years
Doesn't any ever review the code, or do they just cut and paste from one version of windows when creating the next version of windows? Wow, what are you actually paying for when you upgrade? A safer version? Apparently not.
Quote:
Zero day nature of vulnerability leads to conclusion that intrusion efforts were highly effective
Close collaboration between iSIGHT Partners and Microsoft patch is being released on Tuesday, October 14
So glad no one disclosed the issue prior the patch; it is not like anyone would have wanted to take more active measures to monitor their infrastructure. Security by obscurity. No reason to look if you don't know it exists.
Quote:
Impacts all versions of Windows from Vista to 8.1
Windows Server 2008, 2012
Flaw has existed for years
Doesn't any ever review the code, or do they just cut and paste from one version of windows when creating the next version of windows? Wow, what are you actually paying for when you upgrade? A safer version? Apparently not.
Quote:
Zero day nature of vulnerability leads to conclusion that intrusion efforts were highly effective
Close collaboration between iSIGHT Partners and Microsoft patch is being released on Tuesday, October 14
So glad no one disclosed the issue prior the patch; it is not like anyone would have wanted to take more active measures to monitor their infrastructure. Security by obscurity. No reason to look if you don't know it exists.
Last edited:
Programmers in general are so lazy now days. They'll put in a ton of existing code knowing they are only using about 20% of it. But it is faster and cheaper to do that than to re-write efficient code cutting out the fat that is unnecessary.
Also, a fair amount of this stuff is an intentional backdoor that they'll patch/close once it becomes public knowledge.
Also, a fair amount of this stuff is an intentional backdoor that they'll patch/close once it becomes public knowledge.
Originally Posted By: simple_gifts
From the PDF
Quote:
Impacts all versions of Windows from Vista to 8.1
Windows Server 2008, 2012
Flaw has existed for years
Doesn't any ever review the code, or do they just cut and paste from one version of windows when creating the next version of windows? Wow, what are you actually paying for when you upgrade? A safer version? Apparently not.
Quote:
Zero day nature of vulnerability leads to conclusion that intrusion efforts were highly effective
Close collaboration between iSIGHT Partners and Microsoft patch is being released on Tuesday, October 14
So glad no one disclosed the issue prior the patch; it is not like anyone would have wanted to take more active measures to monitor their infrastructure. Security by obscurity. No reason to look if you don't know it exists.
What's that sound I hear? I think it's crickets chirping...
From the PDF
Quote:
Impacts all versions of Windows from Vista to 8.1
Windows Server 2008, 2012
Flaw has existed for years
Doesn't any ever review the code, or do they just cut and paste from one version of windows when creating the next version of windows? Wow, what are you actually paying for when you upgrade? A safer version? Apparently not.
Quote:
Zero day nature of vulnerability leads to conclusion that intrusion efforts were highly effective
Close collaboration between iSIGHT Partners and Microsoft patch is being released on Tuesday, October 14
So glad no one disclosed the issue prior the patch; it is not like anyone would have wanted to take more active measures to monitor their infrastructure. Security by obscurity. No reason to look if you don't know it exists.
What's that sound I hear? I think it's crickets chirping...
I just changed over my nieces laptop to Mint 17. She had Win 7 it was so loaded with Malware and missing files it would hardly work. Then every time she'd try to go online ASK would redirect it somewhere. I removed over 3,000 pieces of Malware, PUPS, and Viruses, just for the heck of it hoping it would work. Then I discovered files were missing or corrupt and it wasn't working well. She didn't have the Win 7 software, I'm not sure why, which made the case for Mint even easier. Switching it over to Mint was easy, I formatted it, partitioned it and installed it. It went well and she loves it. My son's laptop will probably be next.
hey where's the thread about this?
http://www.guidepointsecurity.com/1040/v...ility-ms14-066/
We need this guy to save us from Microsoft products as well. This is unacceptable! 19 years!!!!
http://www.guidepointsecurity.com/1040/v...ility-ms14-066/
We need this guy to save us from Microsoft products as well. This is unacceptable! 19 years!!!!
- Status