Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Wednesday November 11 2015, @09:17PM   Printer-friendly
from the your-code-looks-like-swiss-cheese dept.

The Washington Post published an article today which describes the ongoing tension between the security community and Linux kernel developers. This has been roundly denounced as FUD, with Rob Graham going so far as to claim that nobody ever attacks the kernel.

Unfortunately he's entirely and demonstrably wrong, it's not FUD and the state of security in the kernel is currently far short of where it should be.

[Here is] an example. Recent versions of Android use SELinux to confine applications. Even if you have full control over an application running on Android, the SELinux rules make it very difficult to do anything especially user-hostile. Hacking Team, the GPL-violating Italian company who sells surveillance software to human rights abusers, found that this impeded their ability to drop their spyware onto targets' devices. So they took advantage of the fact that many Android devices shipped a kernel with a flawed copy_from_user() implementation that allowed them to copy arbitrary userspace data over arbitrary kernel code, thus allowing them to disable SELinux.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Interesting) by tangomargarine on Wednesday November 11 2015, @11:13PM

    by tangomargarine (667) on Wednesday November 11 2015, @11:13PM (#261967)

    The security of the Linux commercial sucks. This guy disagreed, but he's wrong, and here's why:

    Then we go on to explain this example situation where it sounds like the kernel was fine until Google made a change that screwed it up and somebody found a way to disable a layer of security in their version.

    A) This is the fault of the kernel devs how, exactly?

    B) If memory serves, it doesn't even sound like it's particularly Google's fault as I bet they shipped a fixed copy of the code already and the device manufacturers just don't want to let their customers easily upgrade.

    That being said, it does sound like an interesting topic of discussion. Maybe the example is just a bit lacking.

    --
    "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 3, Interesting) by tangomargarine on Wednesday November 11 2015, @11:18PM

    by tangomargarine (667) on Wednesday November 11 2015, @11:18PM (#261969)

    Okay, this summary is another example of the problem where nobody writes god damn summaries, either here on or the other site.

    Instead, it's just the first 3 paragraphs copy-and-pasted from the article itself. While in theory this should be enough (with the journalistic rule that each paragraph further in you read presents less-important information), in this case the summary truncation occurs right before the article actually starts to explain its reasoning.

    Please. Please take a few minutes to write an actual summary.

    --
    "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
    • (Score: 3, Insightful) by tangomargarine on Wednesday November 11 2015, @11:20PM

      by tangomargarine (667) on Wednesday November 11 2015, @11:20PM (#261971)

      And finally (sorry about the multiple posts):

      Phoenix666 writes:

      No he didn't. From the looks of it he literally just sent you an URL. Either that, or he wrote a summary the editor didn't like, so they just threw it out entirely and copy-pasted the beginning of the article.

      Sorry that I'm being snippy, but we have a hard enough time figuring out the real story when the publications themselves do shoddy articles; we don't need crap summaries, too.

      --
      "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
      • (Score: 0) by Anonymous Coward on Thursday November 12 2015, @12:28AM

        by Anonymous Coward on Thursday November 12 2015, @12:28AM (#261996)

        If you click the "Original Submission" link right below the article, you can see which it was.