SoylentNews is people
SoylentNews
from the your-code-looks-like-swiss-cheese dept.
The Washington Post published an article today which describes the ongoing tension between the security community and Linux kernel developers. This has been roundly denounced as FUD, with Rob Graham going so far as to claim that nobody ever attacks the kernel.
Unfortunately he's entirely and demonstrably wrong, it's not FUD and the state of security in the kernel is currently far short of where it should be.
[Here is] an example. Recent versions of Android use SELinux to confine applications. Even if you have full control over an application running on Android, the SELinux rules make it very difficult to do anything especially user-hostile. Hacking Team, the GPL-violating Italian company who sells surveillance software to human rights abusers, found that this impeded their ability to drop their spyware onto targets' devices. So they took advantage of the fact that many Android devices shipped a kernel with a flawed copy_from_user() implementation that allowed them to copy arbitrary userspace data over arbitrary kernel code, thus allowing them to disable SELinux.
(Score: 3, Insightful) by Anonymous Coward on Wednesday November 11 2015, @10:24PM
The information age is at a critical point. We are at a crossroads where major parts of our lives depend on technology to work without fail or we face very serious consequences. Once things like self-driving cars become a daily reality this point will literally be life or death. At the core of this reliable operation is security. It is the last thing many developers think about but the single most important consideration when developing software.
Now is the time to train ourselves to think about security first when creating and extending technology into more areas of our daily lives. This has to start at with the kernel. Microsoft's kernel is a blackbox that simply cannot be widely audited and therefore not trusted in critical applications. This leaves Linux, BSD, etc. I think it would be a very good idea to shift development hours/focus from new feature implementation to a full security audit and bug-fix effort. This effort should then become a continually integrated part of kernel development. If it takes some sort of bureaucracy to enforce and organize this effort, so be it. It is important enough now to warrant it.
(Score: 1, Offtopic) by frojack on Wednesday November 11 2015, @11:01PM
It [security] is the last thing many developers think about ... when developing software.
No, its not.
Hasn't been for a long time.
Do you actually cut any code yourself?
No, you are mistaken. I've always had this sig.
(Score: 2) by Lunix Nutcase on Wednesday November 11 2015, @11:08PM
I do and his statement is quite true. It's actually quite scary who true it still is.
(Score: 1, Interesting) by Anonymous Coward on Wednesday November 11 2015, @11:16PM
I am a developer and work on Medicaid projects. The security in the projects I've seen would terrify you. If want the parent poster says seems foreign to you, count yourself as lucky.
(Score: 1, Insightful) by Anonymous Coward on Thursday November 12 2015, @08:09AM
I do, and my experience is the same.
However, this is in the proprietary world. Security takes time, and time costs money. When something will take two weeks without caring about security and without adequate testing, but at least four weeks if we have to do those things, and the customer has been promised a price that will pay for one week, security is not something we get paid for.
In the ideal world, the process go:
Specs -> design -> estimate -> deadline -> price -> development -> testing -> production.
In the real world, it goes:
Price -> deadline -> estimate -> development -> specs -> production -> testing.
(Score: 2) by frojack on Thursday November 12 2015, @08:17AM
We don't work that way. And our systems don't have security holes, and we ARE paid for that.
You should try it some time.
No, you are mistaken. I've always had this sig.
(Score: 3, Interesting) by MostCynical on Thursday November 12 2015, @09:46AM
I would like to congratulate frojack for being employed in an apparently ideal world.
Only slightly jealous.
Most projects I have worked on have only as much security as the contract or legislation required, and often only "in spirit" ("look 'xyz certification', we have that! (for one box, that we don't let anyone connect to the interwebs)")
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 2) by Lunix Nutcase on Thursday November 12 2015, @03:32PM
Good for you, but just because that is true for where you work does not mean it is true everywhere. There's that whole line of "evidence is not the plural of anecdote".
(Score: 2, Insightful) by Anonymous Coward on Thursday November 12 2015, @05:27PM
Wow.
Just. Plain. Wow.
Quite the rose-tinted glasses you have on there. Hint: just because you haven't yet found the security flaws in your code doesn't mean they aren't there.
(Score: 2) by etherscythe on Thursday November 12 2015, @08:53PM
Where do you work, NASA? DOD? There are few places that truly value security focus, and they usually handle it by throwing lots of money at it. Banks are vulnerable for crying out loud. I should not feel like I need an RFID blocker wallet in a world where security actually works.
Even studies of cryptography software show that the weakness on a security-focused application is generally the coding [schneier.com] (and yes, the end-user), and DUAL-EC-DRBG notwithstanding, not so much the algorithm. I'm still waiting for the secure by design OS [kaspersky.com] to release. FreeBSD is nice and all, but as soon as you install your program of choice to actually do anything with your system, you're vulnerable to all kinds of attack.
If everybody's favorite .gov bogeyman department can break in, it's insecure, and we have it on pretty good authority that they can (also recall how THEY got broken into, all kind of juicy info accessed, and couldn't even track the flow of data).
Sorry dude, any other subject I might be willing to let your ego play just a little bit fast and loose. Not this one. It's too important, and far too overlooked.
"Fake News: anything reported outside of my own personally chosen echo chamber"
(Score: 2) by etherscythe on Thursday November 12 2015, @10:06PM
Replying to myself in lieu of editing:
citation for "vulnerable to all kinds of attack": http://www.theguardian.com/world/2013/jun/17/edward-snowden-nsa-files-whistleblower#block-51bf3588e4b082a2ed2f5fc5 [theguardian.com]
"Fake News: anything reported outside of my own personally chosen echo chamber"
(Score: 0) by Anonymous Coward on Thursday November 12 2015, @08:49AM
Once things like self-driving cars become a daily reality
Do not buy self-driving cars unless they run entirely Free Software. Which they won't, and certainly not at first.